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PROVE CALCULATING APPARATUS, KEY ISSUING SYSTEM, AND PRIME CALCULATION METHOD 

Technical Field 

[0001] The present invention relates to a technology for maintaining 

information security that applies difficulty of prime factorization 
as a source of safety. 

Background Art 

[0002] Data communications based on computer technology and 

communication technology have become in recent years widely in use. 
In these data communications, a privacy communication system and a 
digital signature system are used. Here, the privacy communication 
system is a system in which communication is performed with the 
communication contents kept secret from any other entities except for 
certain communication destinations. The digital signature system is 
a communication system showing the validity of the communication 
contents to the communication destinations, or proving the sender's 
identity . 

[0003] 1. PUBLIC KEY ENCRYPTION SYSTEM 

An encryption system called a public key encryption system is used 
in the privacy communication system or the digital signature system. 
In the privacy communications using the public key encryption system, 
the encryption key and the decryption key are different from each other, 
and the encryption key is made publicly available while the decryption 
key being kept secret. The decryption key kept secret is called a 
private key, and the encryption key made publicly available is called 
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a public key. When there are a number of cx>mmunication destinations, 
a key must be kept between the communication destinations in common 
key encryption. On the other hand, in public key encryption, 
communications are made possible if the communication destinations 
simply have a single unique key, and therefore, the number of keys 
required is less than in the common key encryption even if the number 
of communication destinations increases. Thus, the public key 
encryption is well suited to communications with a number of 
destinations, and indispensable and fundamental technology. 
[0004] The safety of an RSA encryption system — a type of the public key 

encryption system — is based on that solving prime factorization of 
integers is difficult in terms of computational effort. The prime 
factorization is a problem to find primes p and q with respect to an 
integer n, when n = p x q. Here, "x" is general multiplication. In 
general, when p and q are as large, for example, as 1024 bits, solving 
the prime factorization is difficult . This therefore makes it difficult 
to find out a private key from a public key with the RSA encryption 
system, and also makes it difficult for users not having the private 
key to find out a plain text from an encrypted text. Note that prime 
factorization is discussed in detail in Non-Patent Reference 1 (pp. 
144-151) . 

[0005] 1.1 RSA ENCRYPTION SYSTEM APPLYING PRIME FACTORIZATION 

Here is described the RSA encryption system applying prime 

factorization . 

(1) Key Generation 

A public key and a private key are calculated in the following 

manner: 



• Choose large primes p and q randomly, and calculate the 
multiplication n = p x q; 

[0006] • Calculate the least common multiple L = LCM(p-l, q-1) of (p-1) 

and (q-1); 

• Choose randomly a natural number e which is coprime to L and is 
smaller than L, 

1 < e < L-l, GCD(e, L) = 1, 
where "GCD(e, L) " is the greatest cxDmmon divisor of e and L; and 

• Calculate d satisfying e x d = 1 mod L. 

Since GCD(e, L) = 1, such d exists without exception. The integers e 
and n obtained thus form a public key while the integer d is a private 
key. Here, "x mod y" is a reminder when x is divided by y. 
[0007] (2) Generation of Encrypted Text 

By using the integers e and n of the public key, an encrypted text 
c is calculated by performing encryption calculation on a plain text 
m. 

c = m^e mod n 

Note that, in this description, an operator r,/v " indicates that 
a number following this is an exponent. For example, "A A x" means A is 
multiplied by itself x times when x > 0. 
[0008] (3) Generation of Decrypted Text 

By using the integer number d of the private key, a decrypted text 
m f is calculated by performing decryption calculation on the encrypted 
text c . 

m f = c^d mod n 

Note that the decrypted text m' agrees with the plain text m since 
m' = c~d mod n 

= (m^e)^d mod n 



= m~(e x d mod L) mod n 
= m^l mod n 
= m mod n. 

[0009] RSA encryption is discussed in detail in Non- Patent Reference 2 

(pp. 110-113). 

The generation of primes is carries out in the public key 
generation step in the RSA encryption applying the prime factorization 
described above. The prime generation is described in detail in 
Non-Patent Reference 3 (pp. 145-154) . There are two types of methods 
to generate primes: stochastic prime generation methods and 
deterministic prime generation methods. Primes generated by a 
stochastic prime generation method are numbers "likely to be primes" , 
and they are not always primes . On the other hand, a deterministic prime 
generation method unfailingly generates primes . Details of stochastic 
and deterministic prime generation methods are described in Non-Patent 
Reference 2 . The following gives an account of a deterministic prime 
generation method. 

[0010] 1.2 EXAMPLE OF CONVENTIONAL TECHNIQUE 1: DETERMINISTIC PRIME 

GENERATION METHOD 

Here is described a deterministic prime generation method using 
Maurer's method, by which primes are deterministically generated. The 
Maurer method is discussed in detail in Non- Patent Reference 3 (pp. 
152-153). 

In the deterministic prime generation method, primes are generated 
by repeating the following steps. A prime q having a bit size lenq is 
provided in advance. 
[0011] <Step 1> A random number R having (lenq-1) bits is selected. Note 

that the beginning bit of the random number R must never fail to be 



<Step 2> A number N is calculated by using the following equation : 

N=2xqXR+l. 
<Step 3> When the following 1st and 2nd judgments are both true, 
the number N is determined as a prime. Otherwise, it is determined as 
not being a prime. 

1st judgment: 2~(N-1) = 1 mod N; and 
2nd judgment: GCD (2 /N (2R)-l, N) = 1. 
When being determined as a prime, the number N is output as a prime . 
When the number N is determined as not being a prime, the processing 
returns to Step 1 and is repeated until a prime is output. 
[0012] The judging test of Step 3 is called the Pocklington's primality 

test, and described in detail in Non-Patent Reference 3 (p. 144). In 
the Pocklington's primality test, when q in "N = 2 x q x R + 1" is a 
prime and the results of the 1st and 2nd judgments are true, the number 
N is unfailingly a prime. Therefore, it makes possible to determine 
and generate a prime in a deterministic manner. 
[0013] In the deterministic prime generation using the Maurer's method, 

the prime N having a size 2 x lenq is thus generated based on the prime 
q having a size lenq. Accordingly, in the case when a prime having a 
predetermined length is to be generated by using the Maurer's 
deterministic prime generation method, the generation of a prime having 
a length shorter than or the same as the predetermined length is repeated. 
For example, when a 512 -bit length prime is to be generated, a 16 -bit 
prime is generated based on an 8 -bit prime provided in advance. Then, 
a 32 -bit prime is generated based on the generated 16 -bit prime. Next, 
a 64 -bit prime is generated based on the generated 32 -bit prime. After 



the repetition of the prime generation in a similar fashion, a 512 -bit 
prime is generated. 

[0014] Note that the 2nd judgment can be replaced by the following 

judgment. 

3rd judgment: 2~(2R) ^ 1 mod N 

The 3rd judgment is discussed in Non-Patent Reference 4 . 
Hereinafter, the 3rd judgment is employed. 

1.3 KEY ISSUING SYSTEM HAVING MULTIPLE KEY ISSUING SERVERS 

Regarding key issuing systems for public key encryption, there 
are cases where a key is generated by a user and where a key is issued 
to a user by a key issuing server . When a key is issued by a key issuing 
server, it is often the case that a single server issues a key to the 
user. However, in order to reduce the processing load, a key issuing 
system may have multiple key management servers , and keys are issued 
by the respective key management servers. 

<Patent Reference 1> Japanese Laid-open Patent Application 
Publication No. 2003-5644; 

<Non- Patent Reference 1> Coedited by Tatsuaki Okamoto and Kazuo 
Ohta, Angou • Zero Chlshlki Mondal • Suron (Encryption - Zero Knowledge 
Problems • Number Theory), 1990, Kyoritsu Syuppan; 

<Non- Patent Reference 2> Tatsuaki Okamoto and Hiroshi Yamamoto, 
Gendai Angou (Modern Encryption), 1997, Sangyo - Tosho ; 

<Non- Patent Reference 3> A.J. Menezes, P.C. van Oorschot, S.A. 
Vanstone, Handbook of Applied Cryptography, 1991, CRC Press; 

<Non -Patent Reference 4> Eiji Okamoto, Angou Riron Nyumon 
(Introduction to Encryption Theory), 1993, p. 21, Kyoritsu Syuppan; 
and 

<Non- Patent Reference 5> Henri Cohen, A Course in Computational 



Algebraic Number Theory, 1993, GTM 138, Springer- Verlag . 

Disclosure of the Invention 
[Problems that the Invention is to Solve] 
[ 0015 ] Regarding a key issuing system using multiple key issuing servers , 

each of 1st and 2nd key issuing servers does not check an RSA key issued 
by the other key issuing server because a security problem occurs if 
the issued RSA keys are made publicly available. Therefore, there is 
a possibility that the 1st and 2nd key issuing servers generate the 
same public key and the same private key for 1st and 2nd users by chance . 
[0016] Accordingly, a problem remains that security cannot be maintained 

when the encryption system is used. 

For example, if a third user generates an encrypted text by using 
the public key for the 1st user and sends this to the 1st user, the 
1st user can naturally decrypt the encrypted text by using its own 
private key; however, the 2nd user is also able to decrypt the encrypted 
text by using its own private key. 
[Means to Solve the Problems] 
[0017] In order to solve such a problem, it is effective if a generated 

prime allows to identify which server has generated the prime. Since 
an RSA public key is ccmputed by multiplication of two different primes , 
even if another key issuing server generates the same primes by chance, 
it is possible to eliminate these primes. 

Given this factor, the present invention aims at offering a prime 
calculating apparatus for calculating primes whose generation source 
can be identified, a prime verification apparatus for performing the 
identification , a key issuing system, a prime calculation method, a 
prime verification method, and a computer program. 



[ 0018 ] In order to accomplish the above ob j ective , the present invention 

is a prime calculating apparatus for calculating a prime candidate N 
larger than a known prime q and testing primality of the calculated 
prime candidate N. The prime calculating apparatus comprises: an 
information storage unit storing the known prime q, management 
information that is an odd number and corresponds to a prime to be 
generated, and a predetermined verification value; a random number 
generation unit operable to generate a random number; a candidate 
calculation unit operable to (i) read the prime q, the management 
information, and the verification value, (ii) calculate a 
multiplication value R by multiplying the management information by 
the random number, and (iii) calculate the prime candidate according 
to N = 2 x (multiplication value R + w) x prime q + 1, using w satisfying 
2 x w x prime q + 1 = the verification value (mod the management 
information) ; a primality testing unit operable to test primality of 
the calculated prime candidate N; and an output unit operable to output 
the calculated prime candidate N as a prime when the primality of the 
calculated prime candidate N is determined. 
[Advantageous Effects of the Invention] 

[0019] According to the structure above, the prime calculating apparatus 

calculates multiplication value R by multiplying the management 
information corresponding to the prime to be generated by the random 
number, and calculates prime candidate N, according to N = 2 x 
(multiplication value R + w) x prime q -f 1, using 2 x w x prime q + 1 
= the verification value (mod the management information) . As a result, 
when the calculated prime candidate N is a prime, the generation source 
of the prime can be identified by judging whether (prime N - the 
verification value) is divisible by the management information. 
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[0020] Note that the generation source of the prime means, needless to 

say, a concept indicating the prime calculating apparatus which 
calculated the prime; however, it is also a concept indicating other 
apparatuses and groups related to the prime calculating apparatus. 

Here, the verification value stored in the information storage 
unit may be 1. In this case, the candidate calculation unit calculates 
the prime candidate N according to N = 2 x multiplication value R x 
prime q + 1. 

[0021] According to the structure above, prime candidate N is calculated 

according to N = 2 x multiple value R x prime q + 1, and therefore, 
the generation source of the prime can be identified by judging whether 
(prime N - 1) is divisible by the management information. 

Here, the primality testing unit may include: a 1st judging 
subunit operable to judge whether the prime candidate N satisfies 2 N_1 
= 1 mod N; and a 2nd judging subunit operable to perform, when the judgment 
of the 1st judging subunit is affirmative, one of judgments of (i) 
whether the prime candidate N and the multiplication value R satisfy 
2 2R ^ 1 mod N and ( ii ) whether the prime candidate N and the multiplication 
value R satisfy GCD(2 2R ~1, N) =1, and to determine the primality of 
the prime candidate N when the performed one of j udgments is affirmative . 

[0022] According to the structure above, the primality of the generated 

prime candidate is determined in a reliable fashion. 
Here, the information storage unit may further store a known prime g 
and a unique issue identifier. In this case, the prime calculating 
apparatus further comprising: a prime generation unit operable to 
generate a prime gp by applying a prime generation function for 
generating a unique prime to the prime g and the issue identifier, and 
output the generated prime gp; and a writing unit operable to write 
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the generated prime gp to the information storage unit as the management 
information . 

[0023] In addition, the prime generation unit may (i) generate a 

combination of the issue identifier and a variable c that is one of 
0 and a positive integer, (ii) calculate a prime candidate = 2 x prime 
g x f (the combination) + 1, and (iii) test primality of the calculated 
prime candidate, and outputs the calculated prime candidate as the prime 
gp when the primality of the calculated prime candidate is determined. 

Here, when the primality of the calculated prime candidate is not 
determined, the prime generation unit may (i) add a value of 1 to the 
variable c, (ii) generate a 2nd combination of the issue identifier 
and the variable c having the value of 1 added thereto, (iii) calculate 
a 2nd prime candidate = 2 x prime g x f (the 2nd combination) + 1, and 
(iv) test primality of the 2nd calculated prime candidate, and outputs 
the 2nd calculated prime candidate as the prime gp when the primality 
of the 2nd calculated prime candidate is determined. 
[0024] According to the structures above, it is possible to generate 

unique management information. 

Here, the prime calculating apparatus may further comprise: an 
iteration control unit operable to control the randcm number generation 
unit, the candidate calculation unit, and the primality testing unit 
to iterate the random number generation, the calculation of the prime 
candidate N, and the primality testing, until the primality of the 
calculated prime candidate N is determined by the primality testing 
unit. 

[0025] According to the structure above, a prime is calculated without 

fail. 
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Here, the prime calculating apparatus may further ccmprise: a 
preparative prime storage unit storing a known prime p; a preparative 
random number calculation unit operable to calculate a random number 
R' ; a preparative candidate calculation unit operable to calculate a 
prime candidate N' , according to N ' = 2 x random number R' x prime p 
+ 1 , using the prime p and the calculated random number R' ; a preparative 
primality testing unit operable to test primality of the calculated 
prime candidate N' ; a preparative writing unit operable to write the 
calculated prime candidate N' to the information storage unit as a prime 
q when the primality of the calculated prime candidate N' is determined; 
and a preparative iteration control unit operable to control the 
preparative random number calculation unit, the preparative candidate 
calculation unit, and the preparative primality testing unit to iterate 
the calculation of the random number R' , the calculation of the prime 
candidate N' , and the primality testing, until the primality of the 
calculated prime candidate N' is determined by the preparative primality 
testing unit. 

[0026] According to the structure above, it is possible to generate prime 

N' which is twice the known prime, and to generate prime N which is 
twice prime N' . 

Here, the prime calculating apparatus may be a key generating 
apparatus for generating a public key and a private key of RSA encryption . 
In this case, the prime calculating further comprises: a public key 
generation unit operable to generate the public key using a calculated 
prime N; and a private key generation unit operable to generate the 
private key using the generated public key. 
[0027] According to the structure above, - it is possible to generate RSA 

public and private keys that use prime N, whose generation source can 
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be identified. 

Here, the public key generation unit may (i) direct the iteration 
control unit to newly obtain a prime N' , (ii) calculate a number n, 
according to n = prime N x prime N' , using the prime N and the newly 
obtained prime N' , and (iii) generate a random number e. In this case, 
a combination of the calculated number n and the generated random number 
e is the public key, the private key generation unit calculates d 
satisfying e x d = 1 mod L, L is a least common multiple of the prime 
N - 1 and the prime N' - 1, and the calculated d is the private key. 

[0028] According to the structure above, public key n is calculated 

according to n = prime N x prime N' , and therefore, it is possible to 
generate the public key, whose generation source can be identified by 
judging whether (public key n - (the verification value x the 
verification value)) is divisible by the management information. 

Note that the generation source of the public key means , needless 
to say, a concept indicating the key generating apparatus which 
calculated the public key; however, it is also a concept indicating 
other apparatuses and groups related to the key generating apparatus . 
For example, it is a concept indicating a terminal to which the generated 
private key is assigned. 

[0029] Here, the information storage unit may further store a different 

verification value from the verification value. In this case, the 
public key generation unit directs the iteration control unit to newly 
obtain a prime N' . The candidate calculation unit calculates a prime 
candidate N' , according to N' = 2 x multiplication value R x prime q 
+ the different verification value. The public key generation unit 
calculates a number n, according to n = prime N x prime N' , using the 
prime N and the newly obtained prime N' , and generates a random number 



e, a combination of the calculated number n and the generated random 
number e is the public key. The private key generation unit calculates 
d satisfying e x d = 1 mod L, Lisa least common multiple of the prime 
N - 1 and the prime N' - 1, and the calculated d is the private key. 
[003.0] According to the structure above, prime N is generated using the 

verification value, prime N' is generated using a different verification 
value, and public key n is calculated according ton = prime N x prime 
N' . Therefore, it is possible to generate the public key, whose 
generation source can be identified by judging whether (public key n 
- (the verification value x the different verification value) ) is 
divisible by the management information. 

Here, the prime calculating apparatus may be a key issuing server 
apparatus for generating and issuing the public key and the private 
key of RSA encryption for a terminal. In this case, the prime 
calculating apparatus further comprising: a key output unit operable 
to output the generated private key to the terminal; and a publishing 
unit operable to publish the generated public key. 

[0031] According to the structure above, the private key generated for 

the terminal is output, and therefore, the terminal can obtain and use 
the private key. 

Here, the prime calculating apparatus may further comprise: an 
identifier obtaining unit operable to obtain a terminal identifier 
uniquely identifying the terminal ; a management information generation 
unit operable to generate the management information including the 
obtained terminal identifier; and a writing unit operable to write the 
generated management information to the information storage unit. 

[0032] The management information includes a terminal identifier 

uniquely identifying the terminal, and therefore, it is possible to 
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generate the public key in a manner that the terminal can be identified 
as the generation source 'of the public key. 

The prime calculating apparatus may further comprise: a server 
identifier storage unit prestoring a server identifier uniquely 
identifying the prime calculating apparatus functioning as the key 
issuing server apparatus . Here, the management information generation 
unit further reads the server identifier from the server identifier 
storage unit, and generates the management information further 
including the read server identifier. 
[0033] The management information includes a server identifier uniquely 

identifying the key issuing server apparatus, and therefore, it is 
possible to generate the public key in a manner that the key issuing 
server apparatus can be identified as the generation source of the public 
key. 

In addition, the present invention is a prime verification 
apparatus for verifying the prime N output by the prime calculating 
apparatus. The prime verification apparatus comprises: a 
prime-verification-apparatus information storage unit storing the 
management information and the verification value; a subtraction unit 
operable to obtain a prime subtraction value by subtracting the 
verification value from the prime N; a judgment unit operable to judge 
whether the obtained prime subtraction value is divisible by the 
management information; and a control unit operable to permit use of 
the prime N when the judgment is affirmative, and prohibit the use of 
the prime N when the judgment is negative. 
[0034] According to the structure above, it is possible to identify the 

generation source of the prime by judging whether (prime N - the 
verification value) is divisible by the management information. 
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Here, the prime calculating apparatus may store the verification 
value which is 1, and calculate a prime candidate N, according to N 
= 2 x multiplication value R x prime q + 1 . In this case, the verification 
value stored in the prime-verification-apparatus information storage 
unit is 1, and the subtraction unit obtains the prime subtraction value 
by subtracting 1 from the prime N. 
[0035] According to the structure above, it is possible to identify the 

generation source of the prime by judging whether (prime N - 1) is 
divisible by the management information. 

Here, the prime calculating apparatus may further ( i) store a known 
prime g and a unique issue identifier, (ii) generate a prime gp by 
applying a prime generation function for generating a unique prime using 
the prime g and the issue identifier, (iii) output the generated prime 
gp, and (iv) writes the generated prime gp to the information storage 
unit as the management information. In this case, the 
prime-verification-apparatus information storage unit further stores 
the prime g and the issue identifier. The prime verification apparatus 
further comprises: a prime generation unit operable to generate the 
prime gp by applying the prime generation function for generating the 
unique prime using the prime g and the issue identifier, and output 
the generated prime gp; and a writing unit operable to write the 
generated prime gp to the prime-verification-apparatus information 
storage unit as the management information. 
[0036] Here, the prime calculating apparatus may (i) generate a 

combination of the issue identifier and a variable c that is one of 
0 and a positive integer, (ii) calculate a prime candidate = 2 x prime 
g x f ( the combination ) + 1 , ( iii ) test prijnality of the calculated prime 
candidate, and (iv) outputs the calculated prime candidate as the prime 



gp when the primality is determined. In this case, the prime generation 
unit (i) generates the combination of the issue identifier and the 
variable c, (ii) calculates the prime candidate = 2 x prime g x f (the 
combination) + 1, and (iii) tests primality of the calculated prime 
candidate, and outputs the calculated prime candidate as the prime gp 
when the primality is determined. 

[0037] Here, when the primality is not determined, the prime calculating 

apparatus may (i) add a value of 1 to the variable c, (ii) generate 
a 2nd combination of the issue identifier and the variable c having 
the value of 1 added thereto, (iii) calculate a prime candidate = 2 
x prime g x f (the 2nd combination) + 1, and (iv) test primality of the 
calculated prime candidate and outputs the calculated prime candidate 
as the prime gp when the primality of the calculated prime candidate 
is determined. In this case, when the primality of the generated prime 
candidate is not determined, the prime generation unit (i) adds the 
value of 1 to the variable c, (ii) generates the 2nd combination of 
the issue identifier and the variable c having the value of 1 added 
thereto, and (iii) tests primality of the calculated prime candidate 
and outputs the calculated prime candidate as the prime gp when the 
primality is determined . 

[0038] According to the structure above , it is possible to generate unique 

management information. 

Here, the prime calculating apparatus may be a key generating 
apparatus for generating a public key and a private key of RSA encryption, 
* and further generate the public key of RSA encryption using the output 
prime N and generate the private key of RSA encryption using the 
generated public key. In this case, the prime verification apparatus 
is a key verification apparatus for verifying the public key. The 



prime verification apparatus further comprises: an obtaining unit 
operable to obtain the public key; and a verifying unit operable to 
verify validity of the obtained public key. 
[0039] According to the structure above, it is possible to identify the 

generation source of the RSA public key. 

Here, the priine calculating apparatus may (i) newly obtain a prime 
N' , (ii) calculate a number n, according to n = prime N x prime N' , 
using the prime N and the newly obtained prime N' , (iii) generate a 
random number e, and (iv) calculate d satisfying e x d = 1 mod L, where 
L is a least common multiple of the prime N - 1 and the prime N' - 1, 
and a combination of the calculated number n and the generated random 
number e is the public key while the calculated d is the private key. 
In this case, the obtaining unit obtains the combination of the number 
n and the random number e as the public key . The verifying unit includes : 
a subtraction subunit operable to obtain a public-key subtraction value 
by subtracting a square value of the verification value f ran the obtained 
number n; a judgment subunit operable to judge whether the obtained 
prime subtraction value is divisible by the management information; 
and a control subunit operable to permit output of the public key when 
the judgment is affirmative, and prohibit the output of the public key 
when the judgment is negative. 
[0040] According to the structure above, public key n is calculated 

according to n - prime N x prime N' , and therefore, it is possible to 
identify the generation source of the public key by judging whether 
(public key n - (the verification value x the verification value) ) is 
divisible by the management information. 

Here, the prime calculating apparatus may further (i) store a 
different verification value from the verification value, (ii) newly 
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obtain a prime N' by calculating a prime candidate N' , according to 
N' = 2 x multiplication value R x prime q + the different verification 
value, (iii) calculate a number n, according to n = prime N x prime 
N' , using the prime N and the newly obtained prime N' and generates 
a random number e, and (iv) calculate d satisfying e x d = 1 mod L, 
where L is a least common multiple of the prime N - 1 and the prime 
N' - 1, and a combination of the calculated number n and the generated 
random number e is the public key while the calculated d is the private 
key. In this case, the prime- verification-apparatus information 
storage unit stores the different verification value, the obtaining 
unit obtains the combination of the number n and the random number e 
as the public key. The verifying unit includes : a subtraction subunit 
operable to obtain a multiplication value by multiplying the 
verification value and the different verification value and to obtain 
a public key subtraction value by subtracting the multiplication value 
f rem the obtained number n; a judgment subunit operable to judge whether 
the obtained prime subtraction value is divisible by the management 
information; and a control subunit operable to permit output of the 
public key when the judgment is affirmative, and prohibit the output 
of the public key when the judgment is negative. 
[0041] According to the structure above, prime N is generated using the 

verification value, prime N' is generated using a different verification 
value, and public key n is calculated according to n = prime N x prime 
N' . Therefore, it is possible to identify the generation source of the 
public key by judging whether (public key n - (the verification value 

x the different verification value) ) is divisible by the management 
information . 

Here, the management information stored in the 
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prime-verification-apparatus information storage unit may include a 
terminal identifier uniquely identifying the terminal. In this case, 
the judgment unit judges whether the obtained prime subtraction value 
is divisible by the management information including the terminal 
5 . . identifier. 

[0042] The management information includes a terminal identifier 

uniquely identifying the terminal, and therefore, it is possible to 
identify the terminal as the generation source of the public key. 

Here, the management information stored in the 

10 prime-verification-apparatus information storage unit may include a 

server identifier uniquely identifying the prime calculating apparatus 
functioning as the key issuing server apparatus. In this case, the 
judgment unit judges whether the obtained prime subtraction value is 
divisible by the management information including the server 

15 identifier. 

[0043 ] The management information includes a server apparatus identifier 

uniquely identifying the key issuing server, and 'therefore, it is 
possible to identify the key issuing server apparatus as the generation 
source of the public key. 

20 Here, the prime verification apparatus may be a 

public-key- certificate issuing server apparatus. In this "case, the 
prime verification apparatus further comprises: a certificate 
generation unit operable to generate , when the verifying unit determines 
that the public key is valid, signature data by applying a digital 

25 signature to public key information including at least the public key, 

and to generate a public key certificate including at least the signature 
data and the public key; and a certificate output unit operable to output 
the generated public key certificate. 
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According to the structure above, when the public key is determined 
valid, a public key certificate is generated and output, and therefore, 
it is possible to generate a public key certificate which identifies 
the generation source of the public key. 

Brief Description of the Drawings 
5] FIG. 1 is an overall schematic view of a key issuing system 

1; 

FIG. 2 is a block diagram illustrating the configuration 
of a key issuing server 100; 

FIG. 3 is a block diagram illustrating the configuration 
of a prime generation unit 116; 

FIG. 4 shows an example of a data structure of a control 
information table T100; 

FIG. 5 is a block diagram illustrating the configuration 
of a prime information generation unit 133; 

FIG. 6 is a block diagram illustrating the configuration 
of a certificate issuing server 200; 

FIG. 7 shows an example of a data structure of verification 
value table T200; 

FIG. 8 is a block diagram illustrating the configuration 
of a terminal 300; 

FIG. 9 is a flow diagram illustrating an outline of 
operation of the key issuing system 1; 

FIG. 10 is a flow diagram illustrating operation of a key 
request process in the key issuing system 1; 

FIG. 11 is a flow diagram illustrating operation of a key 
issuing process in the key issuing system 1 (continuing to FIG. 



12) ; 

FIG. 12 is a flow diagram illustrating operation of the key 
issuing process in the key issuing system 1 (continued from FIG. 

11 to FIG. 13) ; 

FIG. 13 is a flow diagram illustrating operation of the key 
issuing process in the key issuing system 1 (continued from FIG. 

12 to FIG. 14) ; 

FIG. 14 is a flow diagram illustrating operation of the key 
issuing process in the key issuing system 1 (continued from FIG. 

13) ; 

FIG. 15 is a flow diagram illustrating operation of a prime 
generation process; 

FIG. 16 is a flow diagram illustrating operation of a prime 
candidate generation process (continuing to FIG. 17); 

FIG. 17 is a flow diagram illustrating operation of the prime 
candidate generation process (continued from FIG. 16); 

FIG. 18 is a flow diagram illustrating operation of a 
certificate issuing process in the key issuing system 1; 

FIG. 19 is a block diagram illustrating a configuration of 
a prime information generation unit 13 3A; 

FIG . 20 shows an example of a data structure of a verification 
value table T250; 

FIG. 21 is a block diagram illustrating a configuration of 
a prime information generation unit 133B; 

FIG. 22 is a block diagram illustration a structure of a 
prime generation unit 116C; 

FIG. 23 shows an example of a data structure of a control 
information table T150; 
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FIG. 24 is a block diagram illustrating a configuration 
of a prime information generation unit 13 3C; 

FIG. 25 is a flow diagram illustrating operation of a prime 
candidate generation process ; 

FIG. 26 is an overall schematic view of a key issuing system 2; 

FIG. 27 is a block diagram illustrating a configuration 
of a key issuing server 1100; 

FIG. 28 shows an example of a data structure of an issued 
key information table T1100; 

FIG. 29 is a block diagram illustrating a configuration 
of a key issuing audit server 1200; 

FIG. 30 shows an example of a data structure of a 
verification value table T1200; 

FIG. 31 is a flow diagram illustrating an outline of 
operation of the key issuing system 2 at key issuance; 

FIG. 32 is a flow diagram illustrating an outline of 
operation of the key issuing system 2 at key audit; 

FIG. 33 is a flow diagram illustrating operation of a 
certification issuing process in the key issuing system 2; 

FIG. 34 is a flow diagram illustrating operation of a key 
. information acquisition process in the key issuing system 2; 

FIG. 35 is a flow diagram illustrating operation of an audit 
process in the key issuing system 2; 

FIG. 36 is a flow diagram illustrating operation of a 
determination process; 

FIG. 37 shows operation for generating a 512-bit prime from 
an 8 -bit prime; 

FIG. 38 is a block diagram illustrating a configuration 



of a prime generation apparatus 2100; 

FIG. 39 is a flow diagram illustrating operation of a prime 
generation process; 

FIG. 40 is a flow diagram illustrating operation of a prime 
candidate generation process; 

FIG. 41 is a block diagram illustrating a configuration 
of a prime generating apparatus 2200; 

FIG. 42 is a block diagram illustrating a configuration 
of a prime generating apparatus 2300; 

FIG. 43 is a block diagram illustrating a configuration 
of a prime generating apparatus 2400; 

FIG. 44 is a block diagram illustrating a configuration 
of a prime generating apparatus 2500; 

FIG. 45 shows an example of *IDI_R1" generated as a result 
of filling a bit string of issue identifier information "IDI" 
with each bit making up a random number W R1"; and 

FIG. 46 is a flow diagram illustrating operation of a 
verification process. 
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Best Mode for Carrying Out the Invention 
[0047] 1. FIRST EMBODIMENT 

Here is a description of a key issuing system 1 of the first 
embodiment according to the present invention. 
5 1.1 OVERVIEW OF KEY ISSUING SYSTEM 1 

As shown in FIG. 1, the key issuing system 1 comprises : key 
issuing servers 100, 101 and 102; a certificate issuing server 
200; and terminals 300, 301, 302, 303, 304, 305, and 
306. The number of the terminals is, for example, a thousand. 
10 [0048] Each of the key issuing servers 100, 101 and 102 is managed 

by a different company. The terminals 300, 301, and 302 

individually request the key issuing server 100 to issue a key. 
in the same manner, the terminals 303, and 304 individually 
request the key issuing server 101 to issue a key, while the 
15 terminals 305, and 306 individually request the key issuing 

server 102 to issue a key. Note that the terminals 300, 301, 
and 302 respectively have safe communication pathways with the 
key issuing server 100. And in the same way, safe communication 
pathways are established between the key issuing server 101 and 
20 the respective terminals 303, and 304 as well as between the 

key issuing server 102 and the respective terminals 305, and 
306. 

[0049] in like fashion, each of the key issuing servers 100, 101 

and 102 also has a safe communication pathway with the certificate 

25 issuing server 200. 

Note that the following describes the overview of the key 
issuing system 1, using the key issuing server 100, certificate 
issuing server 200 and terminal 300. 
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Receiving a key issue request from the terminal 300, the 
key issuing server 100 generates a private key and a public key 
with the RSA encryption, and requests the certificate issuing 
server 200 to issue a public key certificate for the generated 
public key. Here, assume that the key length of each key to be 
generated is 1024 bits. 

[0050] Receiving the certificate issue request from the key issuing 

server 100, the certificate issuing server 200 issues a public 
key certificate, and then transmits the issued public key 
certificate to the key issuing server 100. 

Receiving the public key certificate from the certificate 
issuing server 200, the key issuing server 100 transmits the 
received public key certificate and the generated private key 
to the terminal 300. 

Receiving the public key certificate and the private key 
from the key issuing server 100, the terminal 300 stores the 
received public key certificate and private key. 

[0051] Subsequently, the user of the terminal 400, for example, 

first obtains the public key certificate of the terminal 300 from 
the key issuing server 100, or from the terminal 300, and examines 
the validity of the public key certificate, using the public key 
held by the certificate issuing server 200. When the public key 
certificate is determined as valid, the obtained public key 
certificate is stored in the terminal 400. The terminal 400 
encrypts an e-mail to be transmitted to the terminal 300, using 
the public key included in the stored public key certificate, 
and transmits the encrypted e-mail to the terminal 300. 

[0052] Receiving the encrypted e-mail from the terminal 400, the 



terminal 300 decrypts the encrypted e-mail, using the stored 
private key, and displays the decrypted e-mail. 

Herewith, a safe exchange of data can be achieved between 
the terminals 300 and 400. 
[0053] Note that since each of the terminals 301, and 302 is 

the same as the terminal 300, the descriptions are left out here. 
In addition, each of the key issuing servers 101 and 102 is the 
same as the key issuing server 100, the descriptions are left 
out here. 

In the following explanation, the terminal 300 is used as 
a representative terminal while the key issuing server 100 being 
used as a representative key issuing server. 

[0054] 1.2 STRUCTURE OF KEY ISSUING SERVER 100 

The key issuing server 100, as shown in FIG. 2, comprises: 
an identifier repository 110; a private key repository 111; a 
public key repository 112; a certificate repository 113 ; a control 
unit 114; an identifier generation unit 115; a prime generation 
unit 116; a key judgment unit 117; a key generation unit 118; 
an information acquisition unit 119; a reception unit 120; and 
a transmission unit 121. 

[0055] The key issuing server 100 is, specifically speaking, a 

computer system composed of a microprocessor, ROM, RAM, a hard 
drive unit, a display unit, a keyboard, a mouse, and the like. 
A computer program is stored in the RAM or the hard drive unit. 
The microprocessor operates according to the computer program, 
and thereby the key issuing server 100 achieves the function. 

[0056] Note that, since each of the key issuing servers 101 and 102 has 

the same structure as the key issuing server 100, the descriptions are 



left out here. 

2.2.2 Identifier Repository 110 

The identifier repository 110 has an area to store issue 
identifier information, having a bit size of 126 bits or less. 
The bit size of the issue identifier information is 64 bits, for 
example . 

[0057] 2.2.2 Private Key Repository 111 

The private key repository 111 has : a prime repository area 
to store two primes which are used for private key generation; 
and a private key repository area to store a private key generated 
by the key generation unit 118 . 

2.2.3 Public Key Repository 112 

The public key repository 112 has an area to store a public 
key generated at the key generation unit 118 . 
[0058] 2.2.4 Certificate Repository 113 

The certificate repository 113 has an area to store a public 
key certificate issued by a certificate issuing server. 

1.2.5 Control Unit 114 

The control unit 114, as shown in FIG. 2, has a server 
identifier storage area 130 and a terminal information storage 
area 131. 

[0059] The server identifier storage area 130 stores in advance, 

a sever identifier which identifies the server itself. For 
example, in the case of the key issuing server 100, SIDA is stored 
therein, while SIDB and SIDC are stored in the server identifier 
storage area 130 of the key issuing servers 101 and 102, 
respectively. Note that the following description is given with 
the server identifier of the key issuing server 100 being "SID" . 



Here, the bit size of the server identifier is 31 bits. 

[0060] The terminal information storage area 131 has an area to 

store a terminal identifier that identifies a terminal having 
requested a key issue. Here, the terminal identifier is, for 
example, a serial number of the terminal. The bit size of the 
serial number is here 32 bits. 

Receiving, from the terminal 300 via the reception 120, key- 
issue request information indicating a key issue request and a 
terminal identifier NX TID" of the terminal 300, the control unit 
114 writes the received terminal identifier "TID" to the terminal 
information storage area 131. The control unit 114 outputs an 
order to generate issue identifier information and the received 
terminal identifier XN TID" to the identifier generation unit 115. 

[0061] Receiving a public key certificate "Cert" from the 

certificate issuing server 200 via the reception unit 120, the 
control unit 114 writes the received public key certificate "Cert" 
to the certificate repository 113. The control unit 114 outputs, 
to the information acquisition unit 119, a distribution start 
order to start a process of distributing the private key and the 
public key certificate to the terminal 300 which has requested 
a key issue. 

1.2.6 Identifier Generation Unit 115 

Receiving the order to generate issue identifier information 
and the terminal identifier "TID" from the control unit 114, the 
identifier generation unit 115 acquires the server identifier 
"SID" stored in the server identifier storage area. 
[0062] The identifier, generation unit 115 generates issue 

identifier information "IDI = SID | | TID | 1 1" from the acquired 



server identifier "SID" , the received terminal identifier VX TID" 
and a number "1". Here, the symbol * | |" denotes a bit join or 
byte join. By setting the last bit of the issue identifier 
information XV IDI" to vx l", the issue identifier information "IDI" 
is always an odd number, and the bit size is 64 bits. 
[0063] The identifier generation unit 115 writes the generated 

issue identifier information "IDI" to the identifier repository 
110, and outputs an order to start prime generation to the prime 
generation unit 116 . 

1.2.7 Prime Generation Unit 116 

The prime generation unit 116, as shown in FIG. 3, has an 
iteration control unit 132 and a prime information generation unit 
133. 

[0064] The prime generation unit 116 generates a 512-bit prime from 

an 8 -bit prime, and outputs the generated 512 -bit prime to the 
key judgment unit 117. 

1.2.7.1 Iteration Control Unit 132 

The iteration control unit 132 has an initial value storage 
area that stores in advance an 8 -bit prime and the bit size of 
the prime (i.e. "8" ) , and a temporary storage area to temporarily 
store a prime received from the prime information generation unit 
133. . .. 

[0065] The iteration control unit 132, as shown in FIG. 3, has 

an iteration counter 13 5 that counts the iteration number of 
operations of the prime information generation unit 13 3, and an 
output counter 136 that counts the number of primes output to 
the key judgment unit 117 — -i.e. the number of times that a 
generated 512 -bit prime has been output. Note that the initial 



values of the iteration counter 135 and the output counter 136 
are both "1". 

The iteration control unit 132 has a control information 
table T100 shown in FIG. 4. The control information table T100 
stores at least one combination made up of the number of iterations 
and control information. The number of iterations corresponds 
to the value of the iteration counter 135. The control 
information indicates a type of a generation method used to 
generate a prime at the prime information generation unit 133. 

[0066] Receiving the order to start prime generation from the 

identifier generation unit 115, the iteration control unit 132 
controls the prime information generation unit 133 to generate 
a prime. Receiving a prime from the prime information generation 
unit 133, the iteration control unit 132 either orders again the 
prime information generation unit 133 to generate a prime or 
outputs the received prime to the key judgment unit 117, according 
to the individual values of the iteration counter 135 and output 
counter 136. 

[0067] The operation is described next. 

Receiving the order to start prime generation from the 
identifier generation unit 115, the iteration control unit 132 
sets both the iteration counter 13 5 and output counter 136 to 

Receiving a prime from the prime information generation unit 
133, the iteration control unit 132 adds VN 1" to the value of the 
iteration counter 135, and judges whether the added result is 
7 or not. 

[0068] When determining that the added result is 7, the iteration 



control unit 132 judges whether the value of the output counter 
13 6 is 1 or not. When determining that it is 1, the iteration 
control unit 132 outputs the received prime to the key judgment 
unit 117 as a prime xv pl", and adds *1" to the value of the output 
counter 136 while setting the value of the iteration counter 135 
to xx l". When determining that it is not 1 — i.e. two or more, the 
iteration control unit 132 makes the received prime a prime vv p2" , 
and outputs the prime vx p2" and a judgment start order to the key- 
judgment unit 117. 

When determining that the added result is not 7, the 
iteration control unit 132 calculates the bit size of the received 
prime, and temporarily stores the received prime and the 
calculated bit size in the temporary storage area. 

The iteration control unit 132 performs the following 
operation whenever (i) after receiving the order to start prime 
generation and setting the values of both the iteration counter 
135 and the output counter 136 to xx l", (ii) after temporarily 
storing a prime received from the prime information generation 
unit 133 and the bit size of the prime, and (iii) after adding 
xx l" to the value of the output counter 136 and setting the value 
of the iteration counter 135. to. *1" . 

The iteration control unit 132 judges whether the value of 
the iteration counter 135 is 1. When determining that it is 1, 
the iteration control unit 132 reads the 8 -bit prime and the bit 
size of the prime from the initial value storage area. On the 
other hand, when determining that it is not 1, the iteration 
control unit 132 reads. -a.. bit- size xx 8x(2~(n-l) ) " and the prime 
from the temporary storage area . That is , when determining that 



the value of the iteration counter 135 is not 1, the iteration 
control unit 132 reads, from the temporary storage area, a prime 
that was temporarily stored most recently and the bit size of 
the prime. Here, "n" is a value of the iteration counter. 
Herewith, the iteration control unit 132 reads the prime generated 
in the previous time and the bit size of the prime from the 
temporary storage area. For example, when the value of the 
iteration counter 13 5 is "2" , the iteration control unit 132 reads 
a prime of "16" bits; when the value of the iteration counter 
135 is "3", the iteration control unit 132 reads a prime of "32" 
bits ; Namely, when the value of the iteration counter 135 is "2" , 
"3", "4", "5" and "6", a prime of "16", "32", "64", "128" and 
"256" bits, respectively, is read out. 

Control information corresponding to the value of the 
iteration counter 13 5 is read from the control information table 
T100, and the iteration control unit 132 judges whether the read 
control information is "Information C" . 

When determining that it is "Information C" , the iteration 
control unit 132 generates 1st information made up of the read 
prime, the bit size of the prime, and the control information, 
and outputs the generated 1st information to the prime information 
generation unit 133. 

When determining that it is not "Information C", the 
iteration control unit 132 acquires the issue identification 
information "IDI" from the identifier repository 110, and 
calculates a bit size "lenlDI" of the acquired issue identifier 
information. The iteration control unit 132 then generates 2nd 
information made up of the read prime, the bit size of the prime, 



the control information, the issue identifier information VV IDI" 
and the bit size "lenlDI", and outputs the generated 2nd 
information to the prime information generation unit 133. 

0073] In addition, when receiving a regeneration order to 

regenerate a prime from the key judgment unit 117, the iteration 
control unit 132 adds xx l" to the value of the output counter 136 
and sets the value of the iteration counter 135 to XN 1" . 
Subsequently, the iteration control unit 132 performs the 
judgment of whether the value of the iteration counter 135 is 
and the subsequent operation. 
1.2.7.2 Prime Information Generation Unit 133 

0074] The prime information generation unit 133, as shown in FIG. 

5, comprises: an information control unit 140; a random number 
generation unit 141; a prime candidate generation unit 142; a 
1st primality testing unit 143; and a 2nd primality testing unit 
144. 

The prime information generation unit 133 generates a prime 
whose bit size is twice as large as that of the prime received 
from the iteration control unit 132. For example, when receiving 
a prime of 8 bits, the prime information generation unit 133 
generates a prime of 16 bits. In the same fashion, a prime of 
32 bit is generated, when a prime of 16 bit is received. 

The following describes each structural component, assuming 
-that a prime received from the iteration control unit 132 is vv q" 
and the bit size is "lenq". 
0075] 1.2.7.3 Information Control Unit 140 ... 

The information control unit 140 has an information storage 
area to store the 1st and 2nd information. 



The information control unit 140 has a verification-value 
storage area that stores in advance a 1st verification value vx cll" 
and a 2nd verification value Nx cl2" which are assigned by the 
certificate issuing server 200 and used when a prime is generated 
based on the control information "Information A". 
0076] Receiving, from the iteration control unit 132, the 1st 

information made up of the prime xv q" , the prime's bit size "lenq" , 
and the control information, the information control unit 140 
writes the received 1st information to the information storage 
area. That is, the information control unit 140 writes the prime 
xv q" , the prime's bit size xv lenq", and the control information 
(in this case, "Information C"). 
0077] Receiving, from the iteration control unit 132, the 2nd 

information made up of the prime vx q" , the prime's bit size v lenq" , 
the control information, the issue identifier information "IDI" 
and the bit size "lenlDI" , the information control unit 140 writes 
the received 2nd information to the information storage area. 
That is, the information control unit 140 writes the prime xv q", 
the prime's bit size "lenq", the control information, the issue 
identifier information XV IDI" and the bit size ^lenlDI". 

After writing the received information, the information 
control unit 140 outputs a 1st generation direction indicating 
a direction of random number generation to the random number 
generation unit 141. 

Receiving a prime from the 2nd primality testing unit 144, 
the information control unit 140 outputs the received prime to 
the iteration control unit 132. 

Receiving, from the prime candidate generation unit 142, 
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a number read -out order to read the value of the output counter 
136 , the information control unit 140 reads the value of the output 
counter 136 in the iteration control unit 132. The information 
control unit 140 outputs the read value to the prime candidate 
5 generation unit 142. 

[0078] 1.2.7.4 Random Number Generation Unit 141 

Receiving, from the information control unit 140, the 1st 
generation direction indicating a direction of random number 
generation, the random number generation unit 141 reads control 
10 information stored in the information storage area of the 

information control unit 14 0. The random number generation unit 
141 judges whether the read control information is "Information 
C" . 

When determining that it is "Information C" , the random 
15 number generation unit 141 reads "lenq" stored in the information 

storage area of the information control unit 140, generates a 
random number "Rl" of (lenq-1) bits, and outputs the generated 
random number "Rl" and the read control information to the prime 
candidate generation unit 142 . Here, the first bit of the random 
20 number "Rl" is 1. The method for generating random numbers is 

described in detail in Non-patent Reference 2. 
[0079] When determining that it is not "Information C" , the random, 

number generation unit 141 reads "lenq" and "lenlDI" stored in 
the information storage area of the information control unit 140 . 
25 Then, the random number generation unit 141 generates a random 

number "Rl" of ( lenq-lenIDI-1) bits, and outputs the generated 
random number "Rl" and the read control information to the prime 
candidate generation unit 142 . Here, the first bit of the random 
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number VX R1" is 1. 

0080] In addition, when receiving, from either the 1st primality 

testing unit 143 or the 2nd primality testing unit 144, a 2nd 
generation direction to generate a random number again, the random 
number generation unit 141 reads control information from the 
information storage area and conducts the above operation. 
1.2.7.5 Prime Candidate Generation Unit 142 
The prime candidate generation unit 142 has: a generated 
information storage area to store generated information; and a 
function storage area that stores in advance a function *f " which 
is an injection. Here, the function *f" is, for example, f (X| |Y) 
= Enc ( K, X| |Y). Enc (K, X| |Y) is an encrypted text obtained by 
encrypting (X| |Y) by a common key encryption method using a key 
K. An encryption function of a common key encryption method is 
generally a bi jection . In addition, the symbol * | | " is a bit join 
or byte join. An example of the encryption function *Enc(K, X | | Y) 
is xx Enc(K, X| | Y) = K XOR X| | Y" . Note that an example of the common 
key encryption method is DES, and when DES is employed, the key 
length is 128 bits . At this point, the prime candidate generation 
unit 142 stores a predetermined key VV K" . 

)081] Receiving the random number XX R1" and the control information 

from the random number generation unit 141, the prime candidate 
generation unit 142 judges whether the received control 
information is xx Inf ormation C" . 

When determining that it is vv Information C", the prime 
candidate generation unit 142 reads the prime xv q" from the 
information storage area of the information control unit 140. 
The prime candidate generation unit 142 generates a number 



- 2XRlxq+l", using the read prime *q" and the random number XX R1" 
received from the random number generation unit 141. The number 
XX N" generated at this point is a prime candidate. 
0082] The prime candidate generation unit 142 judges whether a 

bit size xx lenN" of the generated number "N" matches xx lenq" . When 
determining that they match each other, the prime candidate 
generation unit 142 outputs the generated number XX N" to the 1st 
primality testing unit 143, and stores, in the generated 
information storage area, the received random number XX R1" as XX R" . 

When determining that they do not match each other, the prime 
candidate generation unit 142 multiplies the random number XX R1" 
received from the random number generation unit 141 by 2, makes 
the result XX R1", and then generates the number XX N = 2xRlxq+l" by 
conducting the above operation once again. 
0083] When determining that the control information is not 

"Information C" , the prime candidate generation unit 142 reads 
the prime vx q" and the issue identifier information XV IDI" from 
the information storage area of the information control unit 140 . 
The prime candidate generation unit 142 judges whether the control 
information is * Information B" . 

When determining that it is "Information B" , the prime 
candidate generation unit 142 generates a join value XX IDI| |R1" 
from the received random number XX R1" and the read issue identifier 
information XX IDI", and then generates a number XX R = f (IDI| |R1)" 
using the generated join value "IDI| |R1" and the function xx f" 
stored in the function storage area. The prime candidate 
generation unit 142 generates the number XX N = 2xRxq+l" using the 
generated number XX R" and the read prime "q" , The number XX N" 



generated at this point is a prime candidate. 

[0084] The prime candidate generation unit 142 judges whether a 

bit size "lenN" of the generated number "N" is "2xlenq". 

When determining that it is "2xlenq", the prime candidate 
generation unit 142 outputs the generated number XV N" to the 1st 
primality testing unit 143, and stores the generated number VN R" 
to the generated information storage area. 

[0085] When determining that it is not "2xlenq" , the prime candidate 

generation unit 142 multiplies the random number *R1" received 
from the random number generation unit 141 by 2, makes the result 
*R1" , and generates the numbers VV R" and "N" once again. 

When it is determined that the control information is not 
"Information B" , the prime candidate generation unit 142 
generates the number VV R = IDIXR1" using the received random number 
"Rl" and the read issue identifier information "IDI" . The prime 
candidate generation unit 142 outputs a number read-out order 
to the information control unit 140, and receives the number of 
the output counter 136 from the information control unit 140. 
The prime candidate generation unit 142 judges whether the value 
of the output counter 136 is "1". 
[0086] When determining that the number of outputs is "1" , the prime 

candidate generation unit 142 reads the 1st verification value 
"ell" from the verification-value storage area of the information 
control unit 140. 

When determining that the number of outputs is not "1" — that 
is, "two" or more, the prime candidate generation unit 142 reads 
the 2nd verification value "cl2" from the verification-value 
storage area of the information control unit 140. 



Note that the operations of the prime candidate generation 
unit 142 after reading the 1st verification value "ell" and after 
reading the 2nd verification value *cl2" are the same, and 
therefore the following explanation is given using a verification 
5 value vx c" . 

[0087] The prime candidate generation unit 142 generates a number 

XX N = 2x(R+w)xq+l" using the read prime xx q" , the issue identifier 
information VV IDI", the verification value vv c" and the generated 
number *R" . The number "N" generated at this point is a prime 
10 candidate. 

Here, Nv w" is a number that satisfies xx 2xwxq+l = c mod IDI, 
0<w<IDI" . vv w" is found by calculating *w = (c-l)xmmod IDI" . xv m" 
is a number that satisfies "(2xq)xm = 1 mod IDI". As described 
above, since the issue identifier information U IDI" is an odd 
15 number — i.e. XX GCD(IDI, 2) = 1" — and u IDI<q", *m" can be found 
by calculation . The calculation method is described in detail 
in Non-patent reference 5. Note that, hereinafter, vx w" for the 
case where the 1st verification value vv cll" is used is denoted 
as "wl" while xv w" for the case where the 2nd verification value 
20 is used is denoted as xx w2". 

[0088] The prime candidate generation unit 142 reads the bit size 

xx lenq" of the prime xx q" from the information storage area of the 
information control unit 140, and judges whether the bit size 
of the generated number XN N" is xx 2xlenq". 
2 5 When determining that it is xx 2xlenq", the prime candidate 

generation unit 142 outputs the generated number XX N" to the 1st 
primality testing unit 143, and stores the generated number XX R" 
in the generated information storage area. 
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[0089] When determining that it is not vx 2xlenq" , the prime candidate 

generation unit 142 multiplies the random number XV R1" received 
from the random number generation unit 141 by 2, makes the result 
*R1", and generates the numbers *R" and XV N" once again. 
1.2.7.6 1st Primality Testing Unit 143 
[0090] Receiving the number XX N" from the prime candidate generation 

unit 142, the 1st primality testing unit 143 judges, using the 
received number XV N", whether the following equation is true. 

2~(N-1) = 1 mod N : Eq. 1 

Here, 2^(N-1) means 2 to the power of (N-l) . 
The 1st primality testing unit 143 outputs the number XX N" 
to the 2nd primality testing unit 144 when determining that Eq. 
1 is true. 

The 1st primality testing unit 143 outputs the 2nd generation 
direction to the random number generation unit 141 when 
determining that Eq. 1 is false. 
[0091] 1.2. 7. 7 2nd Primality Testing Unit 144 

Receiving the number XN N" from the 1st primality testing unit 
14 3 , the 2nd primality testing unit 144 reads the number XN R" stored 
in the generated information storage area of the prime candidate 
generation unit 142. 
[0092] The 2nd primality testing unit 144 judges, using the numbers 

XV N" and XV R", whether the following equation is true. 

2~(2XR) ^ 1 mod N Eq. 2 

When determining that the Eq. 2 is true, the 2nd primality 
testing unit 144 takes the number VX N" as a prime XX N", and outputs 
the prime VV N" to the iteration control unit 132 via the information 
control unit 140. 



When determining that the Eq. 2 is false, the 2nd primality 
testing unit 144 outputs the 2nd generation direction to the 
random number generation unit 141. 
[0093] 1.2.8 Key Judgment Unit 117 

The key judgment unit 117 has a prime storage area to store 
the two primes "pi'' and "p2" received from the prime generation 
unit 116. 

Receiving the primes "pi" and "p2" received from the prime 
generation unit 116, the key judgment unit 117 separately stores 
the received primes "pi" and "p2" in the prime storage area. 
[0094] Receiving a judgment start order from the prime generation 

unit 116, the key judgment unit 117 judges whether the two primes 
vv pl" and "p2" stored in the prime storage area agree with each 
other. When determining that they agree with each other, the key 
judgment unit 117 deletes the stored prime "p2" and outputs a 
regeneration order to the control unit 132. 

When determining that they do not agree with each other, 
the key judgment unit 117 writes the stored two primes "pi" and 
"p2" to the prime repository area of the private key repository 
111 , and outputs a key generation start order to the key generation 
unit 118. 

[0095] 1.2.9 Key Generation Unit 118 

Receiving the key generation start order from the key 
judgment unit 117 , the key generation unit 118 reads the two primes 
"pi" and "p2" stored in the prime repository area of the private 
key repository 111, and calculates the product "n" of the read 
primes "pi" and "p2" — i.e. "n = plxp2".. 

The key generation unit 118 generates a random number "e", 



further generates, as a public key, a combination XX PK = (n, e)" 
made up of the calculated vx n" and the generated random number 
xx e" , and then writes the generated public key XX PK" to the public 
key repository 112. Here, the random number xx e" is coprime to 
the number ^L" , as in the conventional technique, and satisfies 
xx l<e<L-l, GCD ( e , L) = 1" . Here, GCD ( e , L) is the greatest common 
divisor of e and L. The number XX L" is found by XX L = LCM(pl-l, 
p2-l)", and LCM(pl-l, p2-l) is the least common multiple of 
*pl-l" and xx p2-l". 
[0096] The key generation unit 118 calculates *d" satisfying xx exd 

= 1 mod L" , and writes, as a private key, a combination XX SK = 
(pi, p2, d) //r made up of the calculated xx d", and the primes xx pl" 
and xx p2" to the private key repository area of the private key 
repository 111. The key generation unit 118 outputs, to the 
information acquisition unit 119, a request start order to start 
a process of requesting a public key certificate. 
1.2.10 Information Acquisition Unit 119 

Receiving the request start order from the key generation 
unit 118, the information acquisition unit 119. separately reads 
the issue identifier information XX IDI" from the identifier 
repository 110 , the public key XX PK" from the public key repository 
112, and the server identifier of the server identifier storage 
' area 130 in the control unit 114. The information acquisition 
unit 119 transmits, to the certificate issuing server 200 via 
the transmission unit 121, the read issue identifier information 
VX IDI", public key XX PK", and server identifier, together with 
certificate issue request information for requesting to issue 
a public key certificate. 
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[0097] Receiving a distribution start order from the control unit 

114, the information acquisition unit 119 separately reads: the 
private key XX SK" store in the private key repository 111; the 
public key certificate "Cert" stored in the certificate 
repository 113 ; and the terminal identifier stored in the terminal 
information storage area of the control unit 114, and transmits, 
via the transmission unit 121 , the read private key "SK" and public 
key certificate "Cert" to the terminal 300 corresponding to the 
read terminal identifier. 

[0098] 1.2.11 Reception Unit 120 

The reception unit 120 receives information from the 
certificate issuing server 200 and the terminal 300 via the 
Internet, and outputs the received information to the control 
unit 114. 

1,2.12 Transmission Unit 121 

Receiving the issue identifier information >X IDI" , the public 
key "PK" , the server identifier, and the certificate issue request 
information from the information acquisition unit 119, the 
tx~ansmission unit 121 transmits the received individual 
information to the certificate issuing server 200. 
[0099] The transmission unit 121 receives the private key "SK" and 

the public key certificate "Cert", and transmits the received 
individual information to the terminal 300. 

1.3 STRUCTURE OF CERTIFICATE ISSUING SERVER 200 
Receiving the certificate issue request information from 
each of the key issuing servers .100, 101 and 102., the certificate 
issuing server 200 issues a public key certificate and transmits 
the issued public key certificate to the key issuing server having 



made an issue request . 
[0100] As shown in FIG. 6, the certificate issuing server 200 

comprises: a private key repository 210; an issue public key 
repository 211; an issue identifier information repository 212; 
a public key certificate repository 213; an issue public key 
determination unit 214; a public key certificate generation unit 
215; a certificate acquisition unit 216; a reception unit 217; 
and a transmission unit 218. 

The certificate issuing server 200 is, specifically 
speaking, a computer system composed of a microprocessor, ROM, 
RAM, a hard drive unit, a display unit, a keyboard, a mouse, and 
the like . A computer program is store in the RAM or the hard drive 
unit. The microprocessor operates according to the computer 
program, and thereby the certificate issuing server 200 achieves 
the function. 

[0101] Note that the certificate issuing server 200 conducts the 

same operations when receiving the certificate issue request 
information from the key issuing server 100 and from other key 
issuing servers. And therefore, in the following description, 
certificate issue request information transmitted from the key 
issuing server 100 is used. 

1.3.1 Private Key Repository 210 

The private key repository 210 stores in advance a private 
key XX SKCA" that only the certificate issuing server 200 has. 
[0102] Here, a public key "PKCA" corresponding to the private key 

*SKCA" has been distributed to the terminal 400. 

1.3.2 Issue Public Key Repository 211 

The issue public key repository 211 has an area to store 
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the public key U PK" received from the key issuing server 100. 

[0103] 1.3.3 Issue Identifier Information Repository 212 

The issue identifier information repository 212 has an area 
to store the issue identifier information "IDI" received from 
the key issuing server 100 . 

1.3.4 Public Key Certificate Repository 213 
The public key certificate repository 213 has an area to store 
the issued public key certificate ^Cert" . 

[0104] 1.3.5 Issue Public Key Determination Unit 214 

The issue public key determination unit 214, as shown in 
FIG. 6, has a server information storage area 220 and a 
determination information storage area 221. 

The server information storage area 220 has an area to store 
a server identifier which identifies, a key issuing server having 
made an issue request of a public key certificate. 

[0105] The determination information storage area 221 has a 

verification value table T200, as shown in FIG. 7. The 
verification value table T200 has an area to store at least one 
combination made up of a server identifier, a 1st verification 
value and a 2nd verification value. The server identifier is an 
identifier that identifies a key issuing server. VV SIDA" 
indicates the key issuing server 100, while "SIDB" and "SIDC" 
indicating the key issuing servers 101 and 102, respectively. 
The 1st and 2nd verification values are verification values 
assigned to the key issuing servers indicated by associated server 
identifiers. Note that the following description is given 
assuming that the server identifier of the key issuing server 
100 is "SID" . 



[0106] The issue public key determination unit 214 receives, from 

the key issuing server 100 via the reception unit 217, the issue 
identifier information xy IDI", the public key XX PK", the server 
identifier and the certificate issue request information. 

The issue public key determination unit 214 writes the 
received server identifier to the server information storage area 
220. 

[0107] The issue public key determination unit 214 reads 

corresponding 1st and 2nd verification values *cll" and *cl2" 
by using the received server identifier. 

The issue public key determination unit 214 determines, 
using the received public key XX PK" and issue identifier 
information *IDI", whether the public key "PK" has been generated 
by using the issue identifier information VV IDI". 
[0108] The determination method is explained here. The public key 

X 'PK" is VX PK = (n, e)", as described above. The issue public key 
determination unit 214 calculates *n- (cllxcl2) " , and examines 
whether the calculation result is divisible by >V IDI" . Herewith, 
it can be determined that the public key VV PK" has been generated 
using the issue identifier information *IDI". 

When XN n- (cllxcl2) " is divisible by "IDI", the issue public 
key determination unit 214 determines that the public key "PK" 
has been generated using the issue identifier information XV IDI" . 
On the other hand, when u n- (cllxcl2 ) " is not divisible by *IDI", 
the issue public key determination unit 214 determines that the 
public key VX PK" has not been generated using the issue identifier 
information xv IDI " . 
[0109] When determining that the public key NV PK" has been generated 
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using the issue identifier information XV IDI", the issue public 
key determination unit 214 writes the received public key "PK" 
to the issue public key repository 211 while writing the issue 
identifier information to the issue identifier information 
repository 212. The issue public key determination unit 214 
outputs, to the public key certificate generation unit 215, an 
order to start generating a public key certificate. 

The issue public key determination unit 214 terminates the 
process when determining that the public key "PK" has not been 
generated using the issue identifier information "IDI". 
[0110] 1.3.6 Public Key Certificate Generation Unit 215 

Receiving the order to start generating a public key 
certificate from the issue public key determination unit 214, 
the public key certificate generation unit 215 separately reads 
the private key "SKCA" from the private key repository 210, the 
public key "PK" from the issue public key repository 211, and 
the issue identifier information "IDI" from the issue identifier 
information repository 212. 
[0111] The public key certificate generation unit 215 generates 

-the public key certificate "Cert" using the read private key 
"SKCA" , public key "PK" and issue identifier information "IDI" . 
Specifically speaking, the public key certificate "Cert" to be 
generated is "Cert = n | | e | | IDI | | Sig(SKCA, n||e||IDI)". Here, 
Sig (K, D) is signature data of when a private key "K" is used 
with respect to data "D" . Here, the symbol "| |" denotes a bit 
join or byte join. 
[0112] The public key certificate generation unit 215 writes the 

generated public key certificate "Cert" to the public key 
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certificate repository 213, and outputs, to the certificate 
acquisition unit 216, an order to start transmitting the public 
key certificate "Cert" . 

1.3.7 Certificate Acquisition Unit 216 

Receiving the order to start transmitting the public key 
certificate "Cert" from the public key certificate generation 
unit 215, the certificate acquisition unit 216 separately reads 
the public key certificate v Cert" from the public key certificate 
repository 213 and the server identifier from the server 
information storage area 220, and transmits the read public key 
certificate "Cert" to the key issuing server 100 corresponding 
.to the read server identifier via the transmission unit 218. 
[0113] 1.3.8 Reception Unit 217 

The reception unit 217 receives information from the key 
issuing server 100, and outputs the received information to the 
issue public key determination unit 214. 

1.3.9 Transmission Unit 218 

The transmission unit 218 receives information from the 
certificate acquisition unit 216, and transmits the received 
information to the key issuing server 100. 
[0114] 1.4 STRUCTURE OF TERMINAL 300 

The terminal 300, as shown in FIG. 8, comprises: a private 
key repository 310; a public key certificate repository 311; a 
control unit 312 ; a reception unit 313 ; a radio unit 314 ; a baseband 
signal process unit 315; a speaker 316; a microphone 317; and 
a display unit 318 . A portable phone is an example of the terminal 
300. 

[0115] The terminal 300 is, specifically speaking, a computer 



system composed of a microprocessor, ROM, RAM, a hard drive unit, 
a display unit, a keyboard, a mouse, and the like. A computer 
program is store in the RAM or the hard drive unit. The 
microprocessor, operates according to the computer program, and 
thereby the terminal 300 achieves the function. 

[0116] Note that, since each of the terminals 301, 302, 303, 

304, 305, and 306 has the same structure as the terminal 
300, their descriptions are left out here. 

The following operations are all the same as the operation 
of when the terminal 300 transmits key issue request information 
and the terminal identifier to the key issuing server 100: when 
each of the terminals 301, and 302 transmits key issue request 
information and a terminal identifier of its own to the key issuing 
server 100; when each of the terminals 303, and 304 transmits 
key issue request information and a terminal identifier of its 
own to the key issuing server 101; and when each of the terminals 
305, and 306 transmits key issue request information and a 
terminal identifier of its own to the key issuing server 102. 
Therefore, the following describes an operation of when key issue 
request information and a terminal identifier are transmitted 
to the key issuing server 100 . 

0117] 1.4.1 Private Key Repository 310 

The private key repository 310 has an area to store the 
private key "SK = (pi, p2, d)" issued by a key issuing server 
having transmitted key issue request information — here, the key 
issuing server 100. 

1.4.2 Public Key Certificate Repository 311 

The public key certificate repository 311 has an area to 



store the public key certificate w Cert" of the public key 
corresponding to the private key issued by the key issuing server 
100. 

[0118] 1,4.3 Control Unit 312 

The control unit 312, as shown in FIG. 8, has a terminal 
identifier storage area 320. 

The control unit 312 also has a mail storage area to store 
an encrypted e-mail. 

The terminal identifier storage area 320 stores in advance 
the terminal identifier "TID" which identifies the terminal 
itself. 

[0119] Receiving a direction of a key issue request from the 

reception unit 313, the control unit 312 reads the terminal 
identifier M TID" from the terminal identifier storage area 320. 

The control unit 312 transmits the key issue request 
information and the read terminal identifier VV TID" to the key 
issuing server 100 via the baseband signal process unit 315 and 
the radio unit 314. 

Receiving the private key "SK" and public key certificate 
' v Cert" from the key issuing server 100 via the radio unit 314 
and the baseband signal process, unit 315, the control unit 312 
writes the received private key XX SK" to the private key repository 
310 while writing the public key certificate vx Cert" to the public 
key certificate repository 311. 
[0120] Receiving an encrypted e-mail from the terminal 400 via the 

radio unit 314 and the baseband signal process unit 315, the 
control unit 312 writes the received, encrypted e-mail to the 
mail storage area. 



Receiving an order to display the encrypted e-mail from the 
reception unit 313, the control unit 312 reads the private key 
"SK" from the private key repository 310 and the encrypted e-mail 
from the mail storage area, decrypts the encrypted e-mail using 
the read private key M SK", and outputs the decrypted e-mail 
(hereinafter, referred to simply as VN e-mail") to the display unit 
318. 

[0121] 1.4.4 Reception Unit 313 

Receiving a key issue request direction set out by a user 
operation, the reception unit 313 outputs the received direction 
to the control unit 312. 

Receiving an encrypted e-mail display direction sent out 
by a user operation, the reception unit 313 outputs a display 
order to the control unit 312. 
[0122] 1.4.5 Radio Unit 314 

The radio unit 314 has an antenna 319, and receives and 
transmits radio signals. 

1.4.6 Baseband Signal Process Unit 315 

The baseband signal process unit 315 performs signal process 
for outputting a signal received from the radio unit 314 to the 
speaker 316 and a signal process for outputting audio received 
from the microphone 317 to the radio unit 314. 
[0123] Receiving key issue request information and a terminal 

identifier from the control unit 312, the baseband signal process 
unit 315 transmits the received key issue request information 
and terminal identifier to the key issuing server 100 via the 
radio unit 314 . 

Receiving the private key and the public key certificate 



from the key issuing server 100 via the radio unit 314, the 
baseband signal process unit 315 outputs the received private 
key and public key certificate to the control unit 312. 
[0124] Receiving the private key and public key certificate from 

the key issuing server 100 via the radio unit 314, the baseband 
signal process unit 315 outputs the received private key and public 
key certificate to the control unit 312. 

Receiving an encrypted e-mail from the terminal 400 via the 
radio unit 314, the baseband signal process unit 315 outputs the - 
received, encrypted e-mail to the control unit 312. 
[0125] 1.4.7 Speaker 316 

The speaker 316 outputs a signal processed by the baseband 
signal process unit 315 as audio. 
1.4.8 Microphone 31 7 

The microphone 317 receives audio of the user, and outputs 
the received audio to the baseband signal process unit 315. 
[0126] 1.4.9 Display Unit 318 

The display unit 318 displays an e-mail received from the 
control unit 312. 

1.5 OPERATION OF KEY ISSUING SYSTEM 1 

The operation of the key issuing system 1 is described here. 

1.5.1 Overview of Operation of Key Issuing System 1 

The overview of operation of the key issuing system 1 is 
explained using a flow diagram shown in FIG. 9. 
[0127] The following shows an overview of operation of when the 

key issuing server 100 issues a key to the terminal 30.0 . 

First, in a key request process, the terminal 300 transmits 
key issue request information and the terminal identifier "TID" - 



to the key issuing server 100 (Step S5) . 

Receiving the key issue request information and terminal 
identifier "TID" from the terminal 300, the key issuing server 
100 generates the issue identifier information "IDI" , private 
key "SK = (pi, p2, d)" and public key "PK = (n, e)" in the key 
issuing process. The key issuing server 100 transmits the 
generated issue identifier information "IDI" and public key "PK", 
the certificate issue request information and the server 
identifier "SID" to the certificate issuing server 200 (Step S10) . 
[0128] Receiving the issue identifier information "IDI", public 

key "PK", certificate issue request information and server 
identifier "SID", the -certificate issuing server 200 judges, in 
a certificate issuing process, whether the primes "pi" and "p2" 
included in the private key "SK" corresponding to the public key 
"PK" has been generated using the issue identifier information 
"IDI" . When the judgment result is affirmative, the certificate 
issuing server 200 generates the public key certificate "Cert" 
corresponding to the public key "PK" , and transmits the generated 
public key certificate "Cert" to the key issuing server 100 (Step 
S15). 

[0129] Receiving the public key certificate "Cert" from the 

certificate issuing server 200 in the key issuing process, the 
key issuing server 100 transmits the private key "SK = (pi, p2, 
d)" and the public key certificate "Cert" to the terminal 300 
(Step S20) . 

Receiving the private key "SK" and public key certificate 
"Cert" from the key issuing server 100 in the key request process, 
the terminal 300 stores the received private key "SK" and public 
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key certificate "Cert", and then finished the system. 
[0130] 1.5.2 Key Request Process 

Here is described the operation of the key request process 

shown in FIG. 9, using a flow diagram illustrated in FIG. 10. 

Note that the operation of the key request process is described 

with the use of the terminal 300 and the key issuing server 100. 
The reception unit 313 of the terminal 300 receives a key 

issue request direction set out by a user operation (Step S100) . 
The control unit 312 of the terminal 300 acquires the 

terminal identifier "TID" from the terminal identifier storage 

area 320 (Step S105) . 
[0131] The control unit 312 of the terminal 300 transmits the key 

issue request information and the acquired terminal identifier 

"TID" to the key issuing server 100 via the baseband signal process 

unit 315 and the radio unit 314 (Step S110). 
[0132] The control unit 312 of the terminal 300 receives the private 

key "SK" and the public key certificate "Cert" from the key issuing 

server 100 via the radio unit 314 and the baseband signal process 

unit 315 (Step S115) . 

The control unit 312 writes the received private key VX SK" 

to the private key repository 310 (Step S120) while writing the 

public key certificate "Cert'' to the public key certificate 

repository 311 (Step S125) . 
[0133] 1.5.3 Key Issuing Process 

Here is described the operation of the key issuing process 

shown in FIG. 9 using flow diagrams illustrated in FIGs . 11, 12, 

13 and 14. 

Receiving, from the terminal 300 via the reception unit 120, 
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key issue request information and the terminal identifier "TID" 
of the terminal 300 (Step S200) , the control unit 114 of the key 
issuing server 100 writes the received terminal identifier "TID" 
to the terminal information storage area 131, and outputs an order 
5 to generate issue identifier information and the received 

terminal identifier "TID" to the identifier generation unit 115 
(Step S205) . 

[0134] Receiving the order to generate issue identifier information 

and terminal identifier "TID" from the control unit 114, the 

10 identifier generation unit 115 acquires the server identifier 

"SID"- stored in the server identifier storage area. The 
identifier generation unit 115 generates the issue identifier 
information "IDI" from the acquired server identifier "SID", the 
received terminal identifier "TID" and a number "1", writes the 

15 generated issue identifier information "IDI" to the identifier 

repository 110, and outputs an order to start prime generation 
to the prime generation unit 116 (Step S210). 

Receiving the order to start prime generation from the 
identifier generation unit 115, the iteration control unit 132 

20 sets both the iteration counter 135 and the output counter 136 

to *1" (Step S215) . 
[0135] The iteration control unit 132 judges whether the value of 

the iteration counter 135 is 1 (Step S220). 
[0136] When determining that it is 1 ( "YES" in Step S220), the 

25 iteration control unit 132 reads a prime and a bit size thereof 

from the initial value storage area (Step S225) . When 
determining that it is not 1 ("NO" in Step S220), on the other 
hand, the iteration control unit 132 reads, from the temporary 
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storage area, a bit size vx 8x( 2~ (n-1 ) ) " and a prime thereof — i.e. 
a prime generated in the previous time and a bit size thereof 
(Step S230) . That is, when determining that the value of the 
iteration counter 135 is not 1, the iteration control unit 132 
5 reads from the temporary storage area. Here, u n" is the value 

of the iteration counter. 
[0137] The iteration control unit 132 reads control information 

corresponding to the value of the iteration counter 135 from the 
control information table T100 (Step S235), and judges whether 
10 the read control information is "Inf ormation C" (Step S240). 

When determining that it is ^Information C" ( XV YES" in Step 
S240), the iteration control unit 132 generates 1st information 
made up of the read prime, the bit size of the prime, and the 
control information, and. outputs the generated 1st information 
15 to the prime information generation unit 133 (Step S245) . 

[0138] When determining that it is not vv Inf ormation C" ( *NO" in 

Step S240), the iteration control unit 132 acquires the issue 
identifier information "IDI" from the identifier repository 110, 
calculates the bit size xx lenIDI" of the acquired issue identifier 
20 information VV IDI" , generates 2nd information made up of the read 

prime, the bit size of the prime, the control information, the 
issue identifier information "IDl" and its bit size "lenlDI", 
and outputs the generated 2nd information to the prime information 
generation unit 133 (Step S250). 
2 5 [0139] The prime information generation unit 133 generates a prime 

in the prime generation process , and outputs the generated prime 
to the iteration control unit 132 (Step S255) . 

Receiving the prime from the prime information generation 
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unit 133, the iteration control unit 132 adds "1" to the value 
of the iteration counter 135 (Step S260) , and judges whether the 
added result is 7 (Step S265). 
[0140] When determining that the added result is not 7 ("NO" in 

Step S265), the iteration control unit 132 calculates the bit 
size of the received prime (Step S270), and temporarily stores 
the received prime and calculated bit size (Step S275) , and the 
process returns to Step S220. 

When determining that the added result is 7 ("YES" in Step 
S265) , the iteration control unit 132 further judges whether the 
value of the output counter 136 is 1 (Step S280) . 
[0141] When determining that it is 1 ("YES" in Step S280), the 

iteration control unit 132 outputs the received prime to the key 
judgment unit 117 as the prime "pi" (Step S285), adds "1" to the 
value of the output counter 136 (Step S290) , and sets the value 
of the iteration counter 13 5 to "1" (Step S295) , and the process 
returns to Step S220. 

When determining that it is not 1 — i.e. two or more — ("NO" 
in Step S280) , the iteration control unit 132 makes the received 
prime the prime "p2" and outputs the prime "p2" and a judgment 
start order to the key judgment unit 117 (Step S3 00) . 
[0142] Receiving the prime "pi" from the iteration control unit 

132 in Step S285, the key judgment unit 117 stores the received 
prime "pi" in the prime storage area. Receiving "p2" and the 
judgment start order from the iteration control unit 132 in Step 
S300, the key judgment unit 117 stores the received prime "p2" 
in the prime storage area. The key judgment unit 117 judges 
whether the two primes "pi" and "p2" stored in the prime storage 



area agree with each other (Step S305). When determining that 
they agree with each other, the key judgment unit 117 deletes 
the stored prime "p2" and outputs a regeneration order to the 
. iteration control unit 132 ("YES" in Step S305) . Receiving, from 
5 the key judgment unit 117, the regeneration order to generate 

a prime again, the iteration control unit 132 performs the 
above-mentioned Steps S290 and 295, and the process then returns 
to Step S220. 

[0143] When determining that they do not agree with each other, 

10 the key judgment unit 117 writes the stored two primes "pi" and 

"p2" in the prime repository area of the private key repository 
111, and outputs an order to start generating a key to the key 
generation unit 118 ("NO" in Step S305) . Receiving the order to 
start generating a key from the key judgment unit 117, the key 
15 . generation unit 118 reads the two primes "pi" and "p2" stored 

in the prime repository area of the private key repository 111, 
and calculates the product "n" of the read primes "pi" and 
"p2" — i.e. "n = plxp2" — (Step S310). 
.[0144] The key generation unit 118 generates the random number "e" 

20 (Step S315), further generates, as a public key, a combination 

"PK = (n, e)" made up of the calculated "n" and generated random 
number "e" , and writes the generated public key "PK" in the public 
key repository 112 (Step S320) . Here, the random number "e" is 
coprime to the number "L", as in the conventional technique, and 
25 satisfies "l<e<L-l, GCD ( e , L) =1". The number "L" is found from 

an equation of "L = LCM(pl-l, p2-l) . 
[0145] The key generation unit 118 calculates "d" satisfying "exd 

. = 1 mod L" (Step S325), writes, as a private key, a combination 
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"SK = (pi, p2, d)" made up of the calculated "d" and the primes 
"pi" and "p2" to the private key repository area of the private 
key repository 111, and outputs a request start order to the 
information acquisition unit 119 (Step S330) . 

Receiving a request start order from the key generation unit 
118, the information acquisition unit 119 separately reads the 
issue identifier information "IDI" from the identifier repository 
110, the public key "PK" from the public key repository 112, and 
the server identifier from the server identifier storage area 
130 of the control unit 114 (Step S335) . The information 
acquisition unit 119 transmits, to the certificate issuing server 
200 via the transmission unit 121, the read issue identifier 
information "IDI", public key "PK", server identifier, and 
certificate issue request information for requesting to issue 
a public key certificate (Step S340). 
] Receiving the public key certificate "Cert" from the 

certificate issuing server 200 via the reception unit 120, the 
control unit 114 writes the received public key certificate "Cert" 
to the certificate repository 113, and outputs a distribution 
start order to the information acquisition unit 119 (Step S345) . 

Receiving the distribution start order from the control unit 
114, the information acquisition unit 119 separately reads the 
private key "SK" stored in the private key repository 111, the 
public key certificate "Cert" stored in the certificate 
repository 113 , and the terminal identifier stored in the terminal 
information storage area of the control unit 114 (Step S350), 
and transmits the read private key "SK" and public key certificate 
"Cert" to the terminal 300 corresponding to the read terminal 
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identifier via the transmission unit 121 (Step S355) . 
[0147] 1.5.4 Prime Generation Process 

Here is described the operation of the prime generation 
process shown in FIG. 12, using a flow diagram illustrated in 
FIG. 15. 

Receiving, from the iteration control unit 132, either one 
of the 1st information — made of the prime *q" , the bit size of 
the prime "lenq", and the control information — and the 2nd 
information — made of the prime vx q" , the prime's bit size "lenq", 
the control information, the issue identifier information "IDI" 
and the bit size "lenlDI" , the information control unit 140 writes 
the received information to the information storage area, and 
outputs a 1st generation direction indicating random number 
generation to the random number generation unit 141 (Step S400) . 
[0148] Receiving the 1st generation direction indicating random 

number generation from the information control unit 140, the 
random number generation unit 141 reads control information 
stored in the information storage area of the information control 
unit 140 (Step S405), and judges whether the read control 
information is "Information C" (Step S410) . 

When determining that it is "Information C" ( VV YES" in Ste 
p S410) , the random number generation unit 141 reads "lenq" stored 
in the information storage area of the information control unit 
140 (Step S415) , generates a random number "Rl" of (lenq-1) bits, 
and outputs the generated random number *R1" and the read control 
information to the prime candidate generation unit 142 (Step S420) . 
Here, the first bit of the random number *R1" is 1. The method 
for generating random numbers is described in detail in Non- patent 



Reference 2 . 

[0149] When determining that it is not "Information C" ("NO" in 

Step S410), the random number generation unit 141 reads "lenq" 
and "lenlDI" stored in the information storage area of the 
information control unit 140 (Step S425). Then, the random 
number generation unit 141 generates a random number "Rl" of 
(lenq-lenIDI-1) bits, and outputs the generated random number 
"Rl" and the read control information to the prime candidate 
generation unit 142 (Step S430) . Here, the first bit of the random 
number "Rl" is 1. 

[0150] The prime candidate generation unit 142 generates the random 

number "R" and the number "N" of a prime candidate in the prime 
candidate generation process, stores the generated random number 
"R" in the generated information storage area, and outputs the 
generated number "N" to the 1st primality testing unit 143 (Step 
S435) . 

Receiving the number "N" from the prime candidate generation 
unit 142, the 1st primality testing unit 143 judges, using the 
received number "N", whether the above-mentioned equation (Eq. 
1) is true (Step S440). 
[0151] When determining that Eq. 1 is true, the 1st primality 

testing unit 143 outputs the . number "N" to the 2nd primality 
testing unit 144 ("YES" in Step S440) . Receiving the number "N" 
from the 1st primality testing unit 143, the 2nd primality testing 
unit 144 reads the number "R" stored in the generated information 
storage area of the prime candidate generation unit 142, and judges 
whether the above-mentioned equation Eq. 2 is true (Step S445) . 
[0152] When determining that Eq. 2 is true ("YES" in Step S445), 



the 2nd primality testing unit 144 takes the number "N" as a prime 
*N", and outputs the prime "N" to the iteration control unit 132 
via the information control unit 140 (Step S450). 

When determining that Eq. 1 is false, the 1st primality 
testing unit 143 outputs a 2nd generation direction to the random 
number generation unit 141 ("NO" in Step S440) . When determining 
that Eq. 2 is false, the 2nd primality testing unit 144 outputs 
a 2nd generation direction to the random number generation unit 
141 ("NO" in Step S445) . Then, the random number generation unit 
141 receives the 2nd generation direction to generate a random 
number again from either the 1st primality testing unit 143 or 
the 2nd primality testing unit 144, and the process returns to 
Step S405. 

[0153] 1.5.5 Prime Candidate Generation Process 

Here is described the operation of the prime candidate 
generation process shown in FIG. 15, using flow diagrams 
illustrated in FIGs . 16 and 17 . 

Receiving the random number "Rl" and control information 
from the random number generation unit 141 (Step S500) , the prime 
candidate generation unit 142 judges whether the received control 
information is "Information C" (Step S505) . 
[0154] When determining that it is "information C" ("YES" in Step 

S505), the prime candidate generation unit 142 reads the prime 
"q" from the information storage area of the information -control 
unit 140 (Step S510) . The prime candidate generation unit 142 
generates a number "N = 2xRlxq+l", using the read prime "q" and 
the random number "Rl" received from the random number generation 
unit 141 (Step S515) . The prime candidate generation unit 142 



judges whether a bit size xv lenN" of the generated number W N" 
matches vv lenq" (Step S520). When determining that they match 
each other ("YES" in Step S520), the prime candidate generation 
unit 142 outputs the generated number VV N" to the 1st primality 
testing unit 143 , and stores , in the generated information storage 
area, the received random number >X R1" as XX R" (Step S595) . 

[0155] When determining that they do not match each other ( n NO" 

in Step S520) , the prime candidate generation unit 142 multiplies 
the random number XV R1" received from the random number generation 
unit 141 by 2, and makes the result % R1" (Step S525), and then 
. the process returns to Step S515. 

When determining that the control information is not 
^Information C" pNO" in Step S505), the prime candidate 
generation unit 142 reads the prime rv q" and the issue identifier 
information VN IDI" from the information storage area of the 
information control unit 140 (Step S530) . The prime candidate 
generation unit 142 judges whether the control information is 
^Information B" (Step S535) . 

[0156] When determining that it is * Information B" pYES" in Step 

S535) , the prime candidate generation unit 142 generates a join 
value "IDI | | Rl" from the received random number *R1" and the read 
- .issue identifier information "IDI", and then generates a number 
M R = f(IDI| |R1)" using the generated join value XV IDI| |R1" and 
the function *f " stored in the function storage area (Step S540) . 
The prime candidate generation unit 142 generates the number VX N 
= 2xRxq+l", using the generated number "R" and the read prime 
"q" (Step S545) . 

[0157] The prime candidate generation unit 142 judges whether a 



bit size "lenN" of the generated number "N" is "2xlenq" (Step 
S550) . 

When determining that it is "2xlenq" ("YES" in Step S535), 
the prime candidate generation unit 142 outputs the generated 
5 number "N" to the 1st primality testing unit 143, and stores the 

generated number "R" to the generated information storage area 
(Step S595) . 

[0158] When determining that it is not "2xlenq" ( "NO" in Step S550) , 

the prime candidate generation unit 142 multiplies the random 
10 number "Rl" received from the random number generation unit 141 

by 2, and makes the result "Rl" (Step S555) , and the process then 
returns to Step S540 . 

When it is determined that the control information is not 
"Information B" ("NO" in Step S535), the prime candidate 
15 generation unit 142 generates the number "R = IDIXR1" using the 

received random number "Rl" and the read issue identifier 
information "IDI" (Step S560) . The prime candidate generation 
unit 142 outputs a number read-out order to the information 
control unit 140, and receives the number of the output counter 
20 136 from the information control unit 140. The prime candidate 

generation unit 142 judges whether the value of the output counter 
136 is "1" (Step S565). 
[0159] When determining that the number of outputs is "1" ("YES" 

in Step S565) , the prime candidate generation unit 142 reads the 
2 5 1st verification value "ell" from the verification- value storage 

area of the information control unit 140 (Step S570) . The prime 
candidate generation unit 142 generates a number "N = 
2x(R+wl)Xq+l" using the read prime "q", the issue identifier 
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information "IDI" , the verification value "ell" and the generated 
number "R" (Step S575) . Here, vv wl" is a number satisfying 
"2xwlxq+l = ell mod IDI, 0<wl<IDI" . 

[0160] When determining that the number of outputs not is "1" — that 

is, "two" or more ("NO" in Step S565), the prime candidate 
generation unit 142 reads the 2nd verification value "cl2" from 
the verification -value storage area of the information control 
unit 140 (Step S580) . The prime candidate generation unit 142 
generates a number "N = 2x(R+w2 )xq+l" using the read prime "q" , 
the issue identifier information "IDI", the verification value 
"cl2" and the generated number "R" (Step S585) . Here, "w2" is 
a number satisfying "2xw2xq+l = cl2 mod IDI, 0<w2<IDI" . 

[0161] The prime candidate generation unit 142 reads the bit size 

"lenq" of the prime "q" from the information storage area of the 
information control unit 140, and judges whether the bit size 
of the generated number "N" is "2xlenq" (Step S590) . 

When determining that it is "2xlenq" ("YES" in Step S590), 
the prime candidate generation unit 142 outputs the generated 
number "N" to the 1st primality testing unit 143, and stores the 
generated number "R" in the generated information storage area 
(Step S595) . 

[0162] When determining that it is not "2xlenq" ("NO" in Step S590) , 

the prime candidate generation unit 142 multiplies the random 
number "Rl" received from the random number generation unit 141 
by 2, makes the result "Rl" (Step S600), and the process then 
returns to Step S560. 

1.5.6 Certificate Issuing Process 

Here is described the operation of the certificate issuing 



process shown in FIG. 9, using a flow diagram illustrated in FIG. 
18. 

[0163] The issue public key determination unit 214 of the 

certificate issuing server 200 receives, from the key issuing 
server 100 via the reception unit 217, the issue identifier 
information XX IDI", the public key XX PK", the server identifier 
and the certificate issue request information (Step S650) . 

The issue public key determination unit 214 writes the 
received server identifier to the server information storage area 
220 (Step S655) . 

The issue public key determination unit 214 reads 
corresponding 1st and 2nd verification values "ell" and *cl2" 
by using the received server identifier (Step S660) . 
[0164] The issue public key determination unit 214 determines 

whether the public key U PK" has been generated using the issue 
identifier information "IDI" by using the read 1st verification 
value vv cll" and 2nd verif ication value "cl2" , the received public 
key "PK" , and the issue identifier information VV IDI" (Step S660) . 
[0165] When xv n- (cllxcl2 ) " is divisible by "IDI" — i.e. when judging 

that the public key XV PK" has been generated using the issue 
identifier information "IDI" ("YES" in Step S660), the issue 
public key determination unit 214 separately writes the received 
public key "PK" to the issue public key repository 211 and the 

issue identifier information to the issue identifier information 

. .. f 

repository 212, and outputs, to the public key certificate 
generation unit 215, an order to start generating a public key 
certificate (Step S665) . 
[0166] The issue public key determination unit 214 terminates the 
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process when determining that the public key "PK" has not been 
generated using the issue identif ier information "IDI" ( "NO" in 
Step S660) . 

Receiving the order to start generating a public key 
certificate from the issue public key determination unit 214, 
the public key certificate generation unit 215 separately reads 
the private key "SKCA" from the private key repository 210, the 
public key "PK" from the issue public key repository 211, and 
the issue identifier information "IDI" from the issue identifier 
information repository 212 (Step S670) . 
[0167] The public, key certificate generation unit 215 generates 

the public key certificate "Cert" using the read private key 
"SKCA", public key "PK" and issue identifier information "IDI", 
writes the generated public key certificate "Cert" to the public 
key certificate repository 213, and outputs, to the certificate 
acquisition unit 216, an order to start transmitting the public 
key certificate "Cert" (Step S675) . 

Receiving the order to start transmitting the public key 
certificate "Cert" from the public key certificate generation 
unit 215, the certificate acquisition unit 216 separately reads 
the public key certificate "Cert" from the public key certificate 
repository 213 and the server identifier from the server 
information storage area 220, and transmits the read public key 
certificate "Cert" to the key issuing server 100 corresponding 
to the read server identifier via the transmission unit 218 (Step 
S680). 

0168] 1.6 EXAMINATION OF OPERATION OF PRIME INFORMATION 

GENERATION UNIT 133 



The 1st and 2nd primality testing units 143 and 144 of the 
prime information generation unit 133 apply Pocklington' s 
Theorem. Pocklington' s Theorem is described in detail in 
Non-patent Reference 1 (p. 144) and Non-patent Reference 4. The 
5 following is a brief explanation of the theorem. 

According to Pocklington ' s Theorem, when vx q" of *N = 2xRxq+l" 
is a prime and both: 

2~(N-1) = 1 mod N; and 
2" N (2R) jt 1 mod N 

10 are true, the number U N" is a prime. And, the prime information 

generation unit 133 can output the number *N" as a prime. 
[0169] In addition, since the bit size of the random number VX R1" 

is (lenq-lenIDI-1) , the bit size of the number *R" becomes 
(lenq-1) and the bit size of the number *N", in most instances, 
15 becomes (2xlenq) . Here, depending on the values of the prime "q" , 

the issue identifier information *IDI", and the like, the bit 
size may be (2xlenq-l) . In this case, the prime candidate 
generation unit 142 carl set the bit size of the number "N" to 
be generated to (2xlenq) by multiplying Rl by 2 and newly taking 
20 the result as Rl, as described above. 

[0170] 1.7 ADVANTAGEOUS EFFECT OF 1ST EMBODIMENT 

1.7.1 Uniqueness of Generated Key 

Here is described the uniqueness of a key genierated by the 
key issuing server 100 — i.e. the uniqueness of a prime. 
25 The following proposition is here to be proved. 

[0171] Proposition: When the issue identifier information IDI is 

different, the output prime *N" is different. 

First, the following lemma is going to be proved, and then 
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the above proposition will be proved using the lemma. 

Lemma: If pi = p2, where pi and p2 are primes with "pi = 
2xqlxRl+l" and "p2 = 2xq2XR2+l", ql = q2 and Rl = R2 . 

Proof: When pi = p2, the bit sizes of the primes "ql" and 
"q2" are respectively 256 bits while the bit sizes of the numbers 
"Rl" and "R2" are respectively 255 bits . Therefore, it is obvious 
that ql = q2 . In addition, since ql = q2, the equality of Rl = 
R2 is also met (which was to be proven) . 

0172] According to the above lemma, if pi = p2, Rl = R2 is met. 

When Rl = f(IDIl| |R11) and R2 = f(IDl2| |R22), IDI1 = IDI2 is met 
since Rl = R2 and f is an injection. Accordingly, by obtaining 
the contraposition, the above proposition is met. Herewith, a 
different IDI always yields a different prime . Accordingly, by 
providing a different IDI for the key issuing server 100 each 
time, a different prime can be generated every time. Thereby, 
the uniqueness of the generated prime is maintained. 

0173] Accordingly, it can be proved, without the need for 

comparison, that primes generated multiple times do not conform 
to each other. 

1.7:2 Validity of Generated Key 

With the prime "pi" generated by the key issuing server 100, 
"pl-cll" is always, divisible by the issue identifier information 
"IDI". 

This is because "pl-cll = 2xqx(R+wl)+l-cll 
2xqX(IDIXRl+wl)+l-cll « 2xqxIDIXRl+2xqxwl+l-cll" , and it can be 
seen that the term "2xqxlDIXRl" is divisible by "IDI". In 
addition, since "2xqxwl+l = ell mod IDI" has been met, as described 
above, the remaining term "2xqxwl+l-cll" is also divisible by 



"IDI" . That is, with the prime "pi" generated by the key issuing 
server 100, "pl-cll" is always divisible by the issue identifier 
information "IDI". Therefore, whether the prime vv pl ;/ is 
generated using the key issuing server 100 can be determined by 
examining "pl-cll" being divisible by the issue identifier 
information "IDI". 
0174] In addition, for the same reason, with the prime "p2" , 

"p2-cl2" is always divisible by the issue identifier information 
"IDI" . 

Accordingly, since xv n-cllxcl2" is divisible by "IDI", the 
certificate issuing server 200 can determine whether the primes 
"pi" and "p2" have been properly generated using the issue 
identifier information "IDI" by examining "n-cllxcl2" being 
divisible by "IDI". 
0175] This is because, the primes "pi" and "p2", which are private 

keys, satisfy the following with the primes "ql" and "q2" , the 
random numbers "Rll" .and "R12", and the issue identifier 
information "IDI" : "pi = 2xqlX(IDlXRll+wl)+l = ell mod IDI" and 
"p2 = 2xq2x(IDlxR12+wl)+l = cl2 mod IDI". Therefore, the 
following equalities are obtained: 

« 

n = plxp2 = (2xqlXIDIXRll+l)X(2xq2XIDlXR12 + l) 
= cllxcl2 mod IDI. 
Accordingly, the certificate issuing server 200 is capable of 
determining whether the key issuing server has properly generated 
the primes "pi" and "p2" using the issue identifier information 
IDI by examining "n~cllxcl2" being divisible by "IDI". 
6] Note that, since the bit size of "IDI" is "lenlDI" and the 

bit size of "Rl" is ( lenq-lenIDI-1) , the bit size of "Nl = 



2xqx(IDlXRl+w)+l" becomes 2xlenql in most instances. Here, 
depending the values of "ql", M IDI", and the like, the bit size 
may be (2xlenq-l) . In this case, the prime candidate generation 
unit 142 can set the bit size of the number M N1" to ' v 2xlenql" 
by multiplying VV R1" by 2 and newly taking the result as "Rl" . 
[0177] Furthermore, when a terminal commits misconduct using 

private keys that the terminal has, the key issuing system 1 can 
obtain information of the terminal having committed misconduct 
from the private keys in the following determination method. 
Assume that private keys *pl" and xx p2" are identified as those 
of a terminal having committed misconduct, and that a tracker 
of the misconduct — for example, a manager of the certificate 
issuing server 200 — Jias a correspondence table between issue 
identifier information and terminals . Both "pl-cll" and 
xv p2-cl2" are divisible by the issue identifier information *IDI" . 
Therefore, GCD(pl-cll, p2-cl2) is divisible by the issue 
identifier information XV IDI" . Accordingly, by investigating the 
prime factor of GCD(pl-cll, p2-cl2), the tracker can limit and 
determine possible issue identifier information, which assists 
in obtaining the issue identifier information— i.e. identifying 
the terminal . 

0178] 1.8 MODIFIED EXAMPLE 1 OF PRIME GENERATION 

Although the above embodiment uses two verification 
values — the 1st and 2nd verification values, here is described 
prime generation in which only one verification value is used. 

Modified Example 1 differs from the above embodiment in 
the prime information generation unit in the key issuing server 
and the issue public key determination unit in the certificate 



issuing server. The following describes a prime information 
generation unit 13 3A and an issue public key determination unit 
214A of this modified example. Note that, with respect to other 
structural components, the same components shown in the first 
embodiment are used. 
[0179] 1.8.1 Prime Information Generation Unit 133A 

The prime information generation unit 133A, as shown in 
FIG. 19, comprises: an information control unit 140A; a random 
number generation unit 141A; a prime candidate generation unit 
142A; a 1st primality testing unit 143A; and a 2nd primality 
testing unit 144A. 

The prime information generation unit 133A generates a 
prime whose bit size is twice as large as that of a prime received 
from the iteration control unit 132. 
[ 0180 ] Note that the following describes each structural component , 

assuming that the prime received from the iteration control unit 
132 is xv q" and the bit size is xv lenq" . 

1.8.1.1 Information Control Unit 140A 

The information control unit 14 OA has an information storage 
area to store 1st and 2nd information. 
[0181] The information control unit 140A has a verification- value 

storage area that stores in advance a verification value xx cl" 
which is assigned by the certificate issuing server 200 and used 
when a prime is generated based on the control information 
^Information A". 

Receiving, from the iteration control unit 132, the 1st 
information made up of the prime *q" , the prime's bit size "lenq" , 
and the control information, the information control unit 140A 



writes the received 1st information to the information storage 
area . That is , the information control unit 14 OA writes the prime 
*q", the prime's bit size "lenq", and the control information 
(in this case xv Information C" ) . 
[0182] Receiving, from the iteration control unit 132, the 2nd 

information made up of the prime XN q" , the prime's bit size "lenq" , 
the control information, the issue identifier information "IDI" 
and the bit size ^lenlDI", the information control unit 140A 
writes the received 2nd information to the information storage 
area. That is, the information control unit 140 writes the prime 
' x q" , the prime's bit size "lenq", the control information, the 
issue identifier information XX IDI" and the bit size "lenlDI". 
[0183] After writing the received information, the information control 

unit 140A outputs a 1st generation direction indicating a direction 
of random number generation to a random number generation unit 14 1A. 

Receiving a prime from the 2nd primality testing unit 144A, 
the information control unit 14 OA outputs the received prime to 
the iteration control unit 132. 

1.8.1.2 Random Number Generation Unit 141A 

Since the random number generation unit 141A is the same 
as the random number generation unit 141 of the first embodiment, 
the description is left out here. 
[0184] 1.8.1.3 Prime Candidate Generation Unit 142A 

The prime candidate generation unit 14 2A has: a generated 
information storage area to store generated information; and a 
function storage area that stores in advance a function x> f " which 
is an injection: Here, the function u f" is, for example, f(X| |Y) 
= Enc(K, X | | Y) . Enc (K, X| |Y) is an encrypted text obtained by 



encrypting (X| |Y) by a common key encryption method using a key 
K. An encryption function of a common key encryption method is 
generally a bijection. In addition, the symbol vv | | " is a bit join 
or byte join. An example of the encryption function u Enc(K, X| | Y) 
is xx Enc(K, X| | Y) = K XOR X| | Y" . Note that an example of the common 
key encryption method is DES, and when DES is employed, the key 
length is 128 bits. 

[0185] Receiving the random number VX R1" and control information 

from the random number generation unit 14 1A, the prime candidate 
generation unit 142A judges whether the received control 
information is vv Information C" . 

When determining that it is xx Information C" , the prime 
candidate generation unit 142A reads the prime "q" from the 
information storage area of the information control unit 140A. 
The prime candidate generation unit 14 2A generates a number 
= 2xRlxq+l" , using the read prime "q" and the random number *R1" 
received from the random number generation unit 14 1A. The number 
generated at this point becomes a prime candidate . The prime 
candidate generation unit 14 2A judges whether a bit size "lenN" 
of the generated number W N" matches xv lenq" . When determining 
that they match each other, the prime candidate generation unit 
14 2 A outputs the generated number *N" to the 1st primal ity testing 
unit 143A, and stores, in the generated information storage area, 
the received random number *R1" as tt R" ■; 

; 0186] When determining that they do not match each other, the prime 

candidate generation unit 14 2 A multiplies the random number *R1" 
received from the random number generation unit 141A by 2, makes 
the result XX R1" , and then generates the number XV N = 2xRlxq+l" 
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by conducting the above operation once again. 

When determining that the control information is not 
'"Information C" , the prime candidate generation unit 142A reads 
the prime "q" and the issue identifier information "IDI" from 
the information storage area of the information control unit 140A. 
The prime candidate generation unit 14 2A judges whether the 
control information is "Information B" . 
0187] When determining that it is "Information B" , the prime 

candidate generation unit 14 2A generates a number "R = f ( IDI | | Rl ) " 
using the received random number "Rl", the read issue identifier 
information "IDI", and the function "f" stored in the function 
storage area . The prime candidate generation unit 14 2 A generates 
the number "N =-2xRlxq+l" using the generated number "R" and the 
read prime "q" . 

0188] The prime candidate generation unit 142A judges whether a 

bit size "lenN" of the generated number "N" is "2xlenq" . 

When determining that it is "2xlenq", the prime candidate 
generation unit 14 2 A outputs the generated number "N" to the 1st 
primality testing unit 14 3A, and stores the generated number "R" 
to the generated information storage area. 

0189] When determining that it is not "2xlenq" , the prime candidate 

generation unit 142A multiplies the random number "Rl" received 
from the random number generation unit 141A by 2, makes the result 
"Rl", and generates the numbers "R" and n N" once again. 

When it is determined that the control information is not 
"Information B", the prime candidate generation unit 142A 
generates the number "R = IDIXRl" using the received random number 
"Rl" and the read issue identifier information "IDI". 
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[0190] The prime candidate generation unit 142A reads the 

verification value "cl" from the verification -value storage area 
of the information control unit 140A. 

The prime candidate generation unit 14 2A generates a number 
VV N — 2x(R+w)Xq+l" using the read prime vx q" , the issue identifier 
information XX IDI" , the verification value "cl" and the generated 
number n R" . 

[0191] Here, "w" is a number that satisfies "2xwxq+l = cl mod IDI, 

0<w<IDI". *w" is found by calculating vv w = (cl-l)xm mod IDI". 
xv m" is a number that satisfies *(2xq)Xm = 1 mod IDI". 

The prime candidate generation unit 142A reads the bit size 
A> lenq" of the prime ^q" from the information storage area of the 
information control unit 140A, and judges whether the bit size 
of the generated number W N" is % 2 xlenq". 
[0192] When determining that it is "2xlenq", the prime candidate 

generation unit 142A outputs the generated number XV N" to the 1st 
primality testing unit 14 3A, and stores the generated number *R" 
in the generated information storage area. 

When determining that it is not *2xlenq" , the prime candidate 
generation unit 14 2 A multiplies the random number XX R1" received 
from the random number generation unit 141A by 2, makes the result 
VX R1", and generates the numbers . VN R" and "N" once again. 
[0193] 1.8.1.4 1st Primality Testing Unit 143A 

Since the 1st primality testing unit 14 3A is the same as 
the 1st primality testing unit 143 of the first embodiment, the 
description is left out here. 

1.8.1.5 2nd Primality Testing Unit 144A 

Since the 2nd primality testing unit 144A is the same as 
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the 2nd primality testing unit 144 of the first embodiment, the 
description is left out here. 
[0194] 1.8.2 Issue Public Key Determination Unit 214A 

Although not shown in the figure, a server information 
5 storage area 2 2 OA and a determination information storage area 

221A are included in the issue public key determination unit 214A. 

The server information storage area 220A has an area to store 
a server identifier which identifies a key issuing server having 
made an issue request of the public key certificate. 
10 [0195] The determination information storage area 221A, as shown 

in FIG. 20, has a verification value table T250 . The verification 
value table T250 has an area to store at least one combination 
made up of a server identifier and a verification value. The 
server identifier is an identifier that identifies a key issuing 
15 server. XX SIDA" indicates the key issuing server 100,. while 

n SIDB" and VV SIDC" indicating the key issuing servers 101 and 102, 
respectively . The verification values are values assigned to the 
key issuing servers indicated by associated server identifiers. 
. Note that the following description is given assuming that, the 
20 server identifier of the -key issuing server 100 is VX SID". 

[019 6] The issue public key determination unit 214A receives, from 

the key issuing server 100 via the reception unit 217, the issue 
identifier information VV IDI", the public key *PK", the server 
identifier and the certificate issue request information. 
25 The issue public key determination unit 214A writes the 

received server identifier to the server information storage area 
220A. 

[0197] The issue public key determination unit 214A reads a 
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corresponding verification value NV cl" by using the received 
server identifier. 

The issue public key determination unit 214A determines, 
using the received public key V 'PK" and issue identifier 
information VX IDI" , whether the public key "PK" has been generated 
by using the issue identifier information "IDI". 
[0198] Here, the determination method involves an examination of 

whether ' v n-(cl)^2" is divisible by XX IDI". Herewith, it can be 
determined that the public key "PK" has been generated using the 
issue identifier information XX IDI". 

When M n-(cl) >N 2 // is divisible by XV IDI", the issue public key 
determination unit 214A determines that the public key *PK" has 
been generated using the issue identifier information "IDI". On 
the other hand, when n n-(cl)^2" is not divisible by VX IDI", the 
issue public key determination unit 214 determines that the public 
key XX PK" has not been generated using the issue identifier 
information W IDI" . 
[0199] When determining that the public key "PK" has been generated 

using the issue identifier information "IDI" , the issue public 
key determination unit 2 14 A writes the received public key VX PK" 
to the issue public key repository 211 while writing the issue 
identifier information to the issue identifier information 
repository 212. The issue public k^y determination unit 214A 
outputs, to the public key certificate generation unit 215, an 
order to start generating a public key certificate. 

The issue public key determination unit 214A terminates the 
process when determining that the public key yx PK" has not been 
generated using the issue identifier information U IDI" . 
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[0200] 1.8.3 Prime Candidate Generation Process 

As to the prime candidate generation process according to 
the present modified example, only differences from the prime 
candidate generation process shown in the first embodiment are 
explained here. Note that, since the operational flows of the 
key issuing process and the prime generation process are the same 
as those in the first embodiment, the descriptions are left out 
here . 

After executing Steps S500 to S560 shown in FIGs . 16 and 
17, the prime candidate generation unit 142A omits Step S565 and 
reads the verification value xv cl" in Step S570. In Step S575, 
the prime candidate generation unit 14 2 A generates the number 
^N = 2x(R+w)Xq+l" . That is, while Steps S565, 580 and 585 are 
omitted, Steps S570 and S575 are modified as above. 
[0201] The following is the same as the first embodiment, and 

therefore the description is left out. 

Namely, the prime candidate generation process according to the 
present modified example generates the number XX N" using the 
verification value VN cl", the prime XN q", and the number XV R", 
independent of the value of the output counter. 
1.8.4. Certificate Issuing Process 

As to the certificate issuing process according to the 
present modified example, only differences from the certificate 
issuing process shown in the first embodiment are explained here. 
[0202] In Step S660, the issue public key determination unit 214A 

reads a verification value (for example, n cl") corresponding to 
the received server identifier. Then, in Step S670, by using the 
read verification value *cl", the public key XV PK" and the issue 
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identifier information *IDI" , the issue public key determination 
unit 214A determines whether "PK" has been generated using *IDI" . 
1.9 MODIFIED EXAMPLE 2 OF PRIME GENERATION 
Although the above embodiment uses two verification 
5 values — the 1st and 2nd verification values, here is described 
prime generation in which only one verification value is used 
and the verification value is a fixed value of vv l" . 

Modified Example 2 differs from the above embodiment in 
the prime information generation unit in the key issuing server 
10 and the issue public key determination unit in the certificate 

issuing server. The following describes a prime information 
generation unit 13 3B and an issue public key determination unit 
214B of this modified example. Note that, with respect to other 
structural components, the same components shown in the first 
15 embodiment are used. 

[0203] 1.9.1 Prime Information Generation. Unit 133B 

The prime information generation unit 133B, as shown in 
FIG. 21, comprises: an information control unit 140B; a random 
number generation unit 141B; a prime candidate generation unit 
20 142B; a 1st primality testing unit 14 3B; and a 2nd primality 

testing unit 14 4B. 

The prime information generation unit 133B generates a prime 
whose bit size is twice as large as that of a prime received from 
the iteration control unit 132. 
25 [0204 ] Note that the following describes each structural component, 

assuming that the prime received from the iteration control unit 
132 is yv q" and the bit size is >x lenq". 

1.9.1.1 Information Control Unit 140B 
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The information control unit 14 OB has an information storage 
area to store 1st and 2nd information. 

[0205] The information control unit 140B has a verification- value 

storage area that stores in advance a verification value *1" which 
is used when a prime is generated based on the control information 
vv Inf ormation A". 

Receiving, from the iteration control unit 132, the 1st 
information made up of the prime NN q" , the prime' s bit size "lenq" , 
and the control information, the information control unit 140B 
writes the received 1st information to the information storage 
area . That is , the information control unit 140B writes the prime 
>x q", the prime's bit size "lenq", and the control information 
(in this case xx Information C"). 

[0206] Receiving, from the iteration control unit 132, the 2nd 

information made up of the prime vx q" , the prime's bit size vx lenq" , 
the control information, the issue identifier information XN IDI" 
and the bit size "lenlDI", the information control unit 140B 
writes the received 2nd information to the information storage 
area. That is, That is, the information control unit 140B writes 
the prime *q" , the prime's bit size "lenq", the control 
information, the issue identifier information "IDI" and the bit 
size "lenlDI". 

[0207] After writing the received information, the information control 

unit 140B outputs a 1st generation direction indicating a direction 
of random number generation to a random number generation unit 141B. 

Receiving a prime from the 2nd primality testing unit 144B, 
the information control unit 14 0B outputs the received prime to 
the iteration control unit 132. 
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1.9.1.2 Random Number Generation Unit 141B 
Since the random number generation unit 14 IB is the same 
as the random number generation unit 141 of the first embodiment, 
the description is left out here. 

[0208] 1.9.1.3 Prime Candidate Generation Unit 142B 

The prime candidate generation unit 142B has: a generated 
information storage area to store generated information; and a 
function storage area that stores in advance a function *f " which 
is an injection. 

Receiving the random number XX R1" and control information 
from the random number generation unit 14 IB, the prime candidate 
generation unit 14 2B judges whether the received control 
information is * Information C" . 

[0209] When determining that it is * Information C" , the prime 

candidate generation unit 142B reads the prime XN q" from the 
information storage area of the information control unit 140B. 
The prime candidate generation unit 142B generates a number XX N 
= 2XRlxq+l" by using the read prime "q" and the random number 
*R1" received from the random number generation unit 141B. The 
number *N" generated at this point becomes a prime candidate. 
The prime candidate generation unit 142B judges whether a bit 
size vx lenN" of the generated number "N" matches *lenq". When 
. determining that they match each other, the prime candidate 
generation unit 142B outputs the generated number NX N" to the 1st 
primality testing unit 143B, and stores, in the generated 
information storage area, the received random number VV R1" as VV R" . 

[0210] When determining that they do not match each other, the prime 

candidate generation unit 14 2B multiplies the random number "Rl" 
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received from the random number generation unit 141B by 2, makes 
the result "Rl", and then generates the number "N = 2xRlxq+l" 
by conducting the above operation once again. 

When determining that the control information is not 
5 "Information C" , the prime candidate generation unit 142B reads 

the prime "q" and the issue identifier information "IDI" from 
the information storage area of the information control unit 140B. 
The prime candidate generation unit 14 2B judges whether the 
control information is "Information B" . 

10 When determining that it is "Information B", the prime 

candidate generation unit 14 2B generates a number "R = f ( IDI | | Rl ) " 
using the received random number "Rl", the read issue identifier 
information "IDI", and. the function "f" stored in the function 
storage area . The prime candidate generation unit 14 2B generates 

15 the number "N = 2xRlxq+l" using the generated number "R" and the 

read prime "q" . 

[0211] The prime candidate generation unit 142B judges whether a 

bit size "lenN" of the generated number "N" is "2xlenq" . 

When determining that it is "2xlenq", the prime candidate 
20 generation unit 142B outputs the generated number "N" to the 1st 

primality testing unit 143B, and stores the generated number "R" 
to the generated information storage area. 
[0212] When determining that it is not "2xlenq" , the prime candidate 

generation unit 142B multiplies the random number "Rl" received 
2 5 from the random number generation unit 141B by 2, makes the result 

"Rl", and generates the numbers "R" and "N" once again. 

When it is determined that the control information is not 
"Information B", the prime candidate generation unit 142B 
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generates the number XV R = IDIXR1" using the received random number 
tt Rl ff and the read issue identifier information XX IDI". 
[0213] The prime candidate generation unit 142B reads the 

verification value xx l" from the verification -value storage area 
of the information control unit 140B. 

The prime candidate generation unit 14 2B generates a number 
XX N = 2xRxq+l" using the read prime xx q" , the issue identifier 
information XX IDI", the verification value xx l" and the generated 
number XX R" . Here, "1" in the latter term is the verification 
value . 

[0214] The prime candidate generation unit 142B reads the bit size 

xx lenq" of the prime xx q" from the information storage area of the 
information control unit 140B, and judges whether the bit size _ 
of the generated number XX N" is "2 xlenq" . 

When determining that it is xx 2xlenq", the prime candidate 
generation unit 142B outputs the generated number XX N" to the 1st 
primality testing unit 14 3B, and stored the generated number XX R" 
in the generated information storage area. 

[0215] . - When determining that it is not v 2xlenq" , the prime candidate 
generation unit 142B multiplies the random number XX R1" received 
from the random number generation unit 141B by 2, makes the result 
XX R1", and generates the numbers X \R" and XX N" once again. 
1.9.1.4 1st Primality Testing Unit 143B 

Since the 1st primality testing unit 14 3B is the same as 
the 1st primality testing unit 143 of the first embodiment, the 
description is left out ...... 

[0216] 1.9.1.5 2nd Primality Testing Unit 144B 

Since the 2nd primality testing unit 144B is the same as 



the 2nd primality testing unit 144 of the first embodiment, the 

description is left out here. 

1.9.2 Issue Public Key Determination Unit 214B 
Although not shown in the figure, a server information 

storage area 2 2 OB and a determination information storage area 

221B are included in the issue public key determination unit 214B . 

[0217] The server information storage area 220B has ah area to store 

a server identifier which identifies a key issuing server having 

made an issue request of the public key certificate. 

The determination information storage area 2 2 IB stores 

therein the verification value xv l", which is a fixed value. 

The issue public key determination unit 214B receives, from 

the key issuing server 100 via the reception unit 217, the issue 

identifier information W IDI", the public key VX PK", the server 

identifier and the certificate issue request information. 

[0218] The issue public key determination unit 214B writes the 

received server identifier to the server information .storage area 

220B. 

The issue public key determination unit 214B reads the 
verification value xy l" from the determination information 
storage area 2 2 IB. 

The issue public key determination unit 214B determines, 
using the received public key VX PK" and issue identifier 
information M IDI" , whether the public key VX PK" has been generated 
by using the issue identifier information "IDI". 
[0219] Here, the determination method involves an examination of 

whether xx n-(the verification value)" — i.e. "n-1" — is divisible 
by XN IDI" . Herewith, it can be determined that the public key "PK" 



89 



has been generated using the issue identifier information, VX IDI" . 

When vv n-l" is divisible by "IDI", the issue public key 
determination unit 214B determines that the public key VX PK" has 
been generated using the issue identifier information XV IDI" . On 
5 the other hand, when *n-l" is not divisible by VX IDI", the issue 

public key determination unit 214 determines that the public key 
XX PK" has not been generated using the issue identifier inf ormation 
XX IDI". 

[0220] When determining that the public key XX PK" has been generated 

10 using the issue identifier information XX IDI" , the issue public 

key determination unit 214B writes the received public key XX PK" 
to the issue public key repository 211 while writing the issue 
identifier information to the issue identifier information 
repository 212. The issue public key determination unit 214B 

15 outputs, to the public key certificate generation unit 215, an 

order to start generating a public key certificate. 

The issue public key determination unit 214B terminates the 
process when determining that the public key XX PK" has not been 
generated using the issue identifier information XX IDI" . 

20 [0221] 1.9.3 Prime Candidate Generation Process 

As to the prime candidate generation process according to 
the present modified example, only differences from the prime 
candidate generation process shown in the first embodiment are 
explained here. Note that, since, the operational flows of the 

25 key issuing process and the prime generation process are the same 

as those in the first embodiment, the descriptions are left out 
here . 

After executing Steps S500 to S560 shown in FIGs . 16 and 
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17, the prime candidate generation unit 142B omits Step S565 and 
reads the verification value "1" in Step S570 . In Step S575, the 
prime candidate generation unit 14 2B generates the number "N = 
2x(R+w) xq+1" . That is, while Steps S565, 580 and 585 are omitted, 
Steps S570 and S575 are modified as above. Note that vv l" in the 
latter term of the equation to obtain the number "N" is the 
verification value. 
[0222] The following is the same as the first embodiment, and 

therefore the description is left out. 

Namely, the prime candidate generation process according to the 
present modified example generates the number XX N" using the prime 
*q" and the number "R", independent of the value of the output 
counter . 

1.9.4 Certificate Issuing Process 

As to the certificate issuing process according to the 

. present modified example, only differences from the certificate 

issuing process shown in the first embodiment are explained here. 

[0223] In Step S660, the issue public key determination unit 214B 

reads the verification value vx l". Then, in Step S670, by using 

the read verification value *1" , the public key VV PK" and the issue 

identifier information "-IDI", the issue public key determination 

unit 214B examines whether "PK" has been generated from "IDI". 
1.9.5 Examination of Determination Method 
By the method described above, the certificate issuing 

server can determine whether the key issuing server has properly 

generated the primes using the issue identifier information 

>X IDI" . 

[0224] This is because, the primes vx pl" and vv p2" , which are private 



keys, satisfy the following with the primes xv ql" and "q2" , the 
random numbers U R11" and XV R12" , and the issue identifier 
information XX IDI": xv pl = 2xqlxiDlxRll+l" and xv p2 

2xq2xiDIXR12+l" . Therefore, the following equalities are 
5 obtained: 

n = plxp2 = (2xqlXIDIXRll+l)X(2xq2xiDIXR12+l) 

= IDIX( 4xqlXq2XRllXR12xiDI+2XqlXRll+2xq2XRl2 ) +1 . 
Accordingly, the certificate issuing server is capable of 
determining whether the key issuing server has properly generated 
10 the primes VN pl" and vv p2" using the issue identifier information 

IDI by examining n n-l" being divisible by XN IDI". 
[022 5] 1.10 MODIFIED EXAMPLE 3 OF PRIME GENERATION 

In the above embodiment, when a prime of 256 bits is to be 
generated, the uniqueness of the prime to be generated is 
15 satisfied by applying an injection function; and when a prime 

of 512 bit is to be generated, an element used to examine the 
validity of the prime to be generated is added. Here, however, 
is described a case in which the uniqueness of a prime and the 
addition of an element used to examine the validity are performed 
20 in a single operation. 

[0226] Modified Example 3 differs from the above embodiment in 

the prime generation unit in the key issuing server and the issue 
public key determination unit in the certificate issuing server. 
The following describes a prime generation unit 116C and an issue 
25 public key determination unit 214C of this modified example. 

Note that, with respect to other structural, components , the same 

components shown in the first embodiment are used. 

In addition, here, the bit size of the server identifier is set 
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to 15 bits, while the bit sizes of the terminal identifier of 
the terminal and the issue identifier information being 16 bits 
and 32 bits, respectively. 
[0227] 1.10.1 Prime Generation Unit 116C 

The prime generation unit 116C, as shown in FIG. 22, has 
an iteration control unit 13 2C and a prime information generation 
unit 133C. 

The prime generation unit 116C generates a 512 -bit prime 
from an 8 -bit prime, and outputs the generated 512 -bit prime to 
the key judgment unit 117. 
[0228] 1.10.1.1 Iteration Control Unit 132C 

The iteration control unit 13 2C has an initial value storage 
area that stores in advance the 8-bit prime and the bit size of 
the prime (i.e. * 8" ) , and a temporary storage area to temporarily 
store a prime received from the prime information generation unit 
133G. 

The iteration control unit 13 2C has an iteration counter 
13 5C that counts the iteration number of operations of the prime 
information generation unit 133C, and an output counter 136C that 
counts the number of primes output to the key judgment unit 
117 — i.e. the number of times that a generated 512-bit prime has 
been output. Note that the initial values of the iteration 
counter 135C and output counter 136C are both "1" . 
[0229] The iteration control unit 132C has a control information 

table T150 shown in FIG. 23. The control information table T150 
stores at least one pair made up of the number of iterations and 
control information . The number of iterations corresponds to the 
value of the iteration counter 13 5C. The control information 



indicates a type of a generation method used to generate a prime 
at the prime information generation unit 13 3C. 

Receiving the order to start prime generation from the 
identifier generation unit 115, the iteration control unit 132C 
controls the prime information generation unit 13 3C to generate 
a prime . Receiving a prime from the prime information generation 
unit 133C, the iteration control unit 132C either orders again 
the prime information generation unit 133C to generate a prime 
or outputs the received prime to the key judgment unit 117, 
according to the individual values of the iteration counter 135C 
and output counter 136C. 
[023 0] The operation is described next. 

Receiving the order to start prime generation from the 
identifier generation unit 115, the iteration control unit 132C 
sets both the iteration counter 135C and output counter 136C to 
>x 1 99 

[0231] Receiving a prime from the prime information generation unit 

13 3C, the iteration control unit 132C adds "1" to the value of 
the iteration counter 13 5C, and judges whether the added result 
is 7 or not. 

[0232] When determining that the added result is 7, the iteration 

control unit 132C judges whether the value of the output counter 
13 6C is 1 or not. When determining that it is 1, the iteration 
control unit 13 2C outputs the received prime to the key judgment 
unit 117 as a prime ' v pl", and adds *1" to the value of the output 
counter 13 6C while setting the value of the iteration counter 
13 5C to "1" . When determining that it is not 1 — i.e. two or more, 
the iteration control unit 13 2C makes the received prime a prime 



vv p2", and outputs the prime VN p2" and an order to start judgment 
to the key judgment unit 117. 

When determining that the added result is not 7 , the 
iteration control unit 132C calculates the bit size of the 
5 received prime, and temporarily stores ' the received prime and 

calculated bit size in the temporary storage area. 

The iteration control unit 132C performs the following 
operation whenever (i) after receiving the order to start prime 
generation and setting the values of both the iteration counter 

10 135C and the output counter 136C to xx l", (ii) after temporarily 

storing a prime received from the prime information generation 
unit 133C and the bit size of the prime, and (iii) after adding 
xv l" to the value of the output counter 136C and setting the value 
of the iteration counter 135C to "1" . 

15 [023 3] The iteration control unit 132C judges whether the value 

of the iteration counter 135C is 1. When determining that it is 
1, the iteration control unit 13 2C reads an 8 -bit prime and the 
bit size of the prime from the initial value storage area. On 
the other hand, when determining that it is not 1, the iteration 

20 r control unit 132C reads a bit size *8x(2~(n-l) ) " and the prime 

from the temporary storage area. That is, when determining that 
the value of the iteration counter 13 5C is not 1, the iteration 
control unit 132C reads, from the temporary storage area, a prime 
that has been generated in the previous time and the bit size 

25 of the prime. Here, XN n" is a value of the iteration counter. 

[0234] Control information corresponding to the value of the 

iteration counter 13 5C is read from the control information table 
T150, and the iteration control unit 132C judges whether the read 
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control information is "Information C" . 

When determining that it is "Information C" , the iteration 
control unit 13 2C generates 1st information made up of the read 
prime, the bit size of the prime, and the control information, 
5 and outputs the generated 1st information to the prime information 

generation unit 133C. 
[0235] When determining that it is not "Information C", the 

iteration control unit 132C acquires the issue identification 
information "IDI" from the identifier repository 110, and 
10 calculates a bit size "lenlDI" of the acquired issue identifier 

information. The iteration control unit 132 then generates 2nd 
information made up of the read prime, the bit size of the prime, 
the control information, the issue identifier information "IDI" 
and the bit size "lenlDI", and outputs the generated 2nd 
15 information to the prime information generation unit 13 3C. 

[0236] In addition, when receiving a regeneration order to 

regenerate a prime from the key judgment unit 117, the iteration 
control unit 13 2C adds "1" to the value of the output counter 
13 6C and sets the value of the iteration counter 13 5C to "1". 
20 Subsequently, the iteration control unit 13 2C performs the 

judging of whether the value of the iteration counter 13 5C is 
"1" and the subsequent operation. 

1.10.1.2 Prime Information Generation Unit 133C 
The prime information generation unit 13 3C, as shown in FIG. 
25 24, comprises: an information control unit 140C; a random number 

generation unit 14 1C; a prime candidate generation unit 14 2C; 
a 1st primality testing unit 14 3C; and a 2nd primality testing 
unit 144C. 
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[0237] The prime information generation unit 13 3C generates a prime whose 

bit size is twice as large as that of the prime received f rem the iteration 
control unit 132C. For example, when receiving a prime of 8 bits, the 
prime information generation unit 13 3C generates a prime of 16 bits. 
In the same fashion, a prime of 32 bit is generated when a prime of 
16 bit is received. 

The following describes each structural component, assuming 
that a prime received from the iteration control unit 13 2C is 
vx q" and the bit size is "lenq" . 
[0238] 1.10.1.3 Information Control Unit 140C 

The information control unit 140C has an information storage 
area to store the 1st and 2nd information. 

The information control unit 140C has an assigned prime 
storage area that stores in advance a prime "qg" and the prime's 
bit size "lenqg" which are assigned by the certificate issuing 
server 200 and used when a prime is generated based on the control 
information vv Information AB" . Here, the bit size of the prime 
VN qg" is, for example, xv 64" bits. 
[0239] Receiving, from the iteration control unit 13 2C, the 1st 

information made up of the prime *q" , the prime's bit size "lenq" , 
and the control information, the information control unit 140C 
writes the received 1st information to the information storage 
area . That is , the information control unit 14 0C writes the prime 
xx q", the prime's bit size v 'lenq", and the control information 
(in this case "Information C"). 

Receiving, from the iteration control unit 13 2C, the 2nd 
information made up of the prime vx q" , the prime's bit size xv lenq" , 
the control information, the issue identifier information "IDI" 



and the bit size "lenlDI", the information control unit 140C 
writes the received 2nd information to the information storage 
area. That is, the information control unit 140 writes the prime 
*q" , the prime's bit size XN lenq", the control information, the 
issue identifier information XX IDI" and the bit size "lenlDI". 

[0240] After writing the received information, the information 

control unit 140C outputs a 1st generation direction indicating 
a direction of random number generation to a random number 
generation unit 14 1C. 

Receiving a prime from the 2nd primality testing unit 144C, 
the information control unit 14 0C outputs the received prime to 
the iteration control unit 132C. 

Receiving, from the prime candidate generation unit 14 2C, 
a number read -out order to read the value of the output counter 
13 6C, the information control unit 140C reads the value of the 
output counter 136C in the iteration control unit 132C. The 
information control unit 14 0C outputs the read value to the prime 

. ... candidate generation unit 142C. 

[0241] 1.10.1.4 Random Number Generation Unit 14 1C 

Receiving, from the information control unit 140C, the 1st 
generation direction indicating a direction of random number 
generation, the random number generation unit 14 1C reads control 
information stored in the information storage area of the 
information control unit 140C. The random number generation unit 
14 1C judges whether the read control information is "Information 
C" . 

[0242] When determining that it is vx Inf ormation C", the random 

number generation unit 14 1C reads xx lenq" stored in the information 
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storage area of the information control unit 140C, generates a 
random number "Rl" of (lenq-1) bits, and outputs the generated 
random number VV R1" and the read control information to the prime 
candidate generation unit 14 2C . Here, the first bit of the random 
5 number XV R1" is 1. The method for generating random numbers is 

described in detail in Non-patent Reference 2. 
[0243] When determining that it is not "Information C" , the random 

number generation unit 14 1C separately reads "lenq" stored in 
the information storage area of the information control unit 14 0C 
10 and "lenqg" stored in the assigned prime storage area. Then, the 

random number generation unit 14 1C generates a random number VX R1" 
of (lenq-2xlenqg-l) bits, using the read "lenq" and "lenqg", and 
outputs the generated random number XX R1" and the read control 
information to the prime candidate generation unit 142C. Here, 
15 the first bit of the random number *R1" is 1. 

[0244] In addition, when receiving the 2nd generation direction 

to generate a random number again from either the 1st primality 
testing unit 143 or the 2nd primality testing unit 144, the random 
number generation unit 141C reads control information from the 
20 information storage area and conducts the above operation. 

1.10.1.5 Prime Candidate Generation Unit 142C 
The prime candidate generation unit 142C has: a generated 
information storage area to store generated information; and a 
function storage area that stores in advance (i) a prime 
2 5 generation function VN gp" to generate a unique prime from the issue 

identifier information XV IDI" and the prime "qg", and (ii) a 
function vv f", which is an injection. 
[0245] Next is an example of the prime generation using the prime 
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generation function "gp" . 

The prime candidate generation unit 14 2C, first, judges 
whether "2xqgxf(IDI| |c)+l" is a prime, where "c=0" . When it is 
a prime, the following equation is established: "gp(IDI, qg) — 
5 2xqgxf(IDI| |c)+l". If it is not a prime, "1" is added to xv c", 

and then the prime candidate generation unit 142C judges whether 
vv 2xqgxf (IDI | |c)+l" is a prime. Then, if it is a prime, the 
following equation is established: - "gp(IDI, qg) = 

2xqgxf (IDI| |c)+l" . Still, if it is not a prime, "1" is added to 
10 "c", and then the same judgment process is conducted. Such a 

procedure is repeated until a prime is obtained. When the prime 
generation function u gp" is defined in this way, the prime 
candidate generation unit 142C only has to have the functions 
"qg" and "f " in order to generate — no matter how many times a prime 
15 is generated by using the prime generation function — the same 

prime with respect to the issue identifier information "IDI". 
At this point, when the bit sizes of "IDI" and "qg" are vv 32" and 
"64" bits, respectively, the bit size of "gp(IDI, qg)" becomes 
128 bits. 

20 [0246] Receiving the random number "Rl" and control information 

from the random, number generation unit 14 1C, the prime candidate 
generation unit 142C judges whether the received control 
information is "Information C" . 

When determining that it is "Information C" , the prime 

2 5 candidate generation unit 142C reads the prime "q" from the 

information storage area of the information control unit 140C. 
The prime candidate generation unit 14 2C generates a number "N 
= 2xRlxq+l", using the read prime vv q" and the random number "Rl" 
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received from the random number generation unit 141C. The prime 
candidate generation unit 14 2C judges whether a bit size "lenN" 
of the generated number "N" matches "lenq" . When determining 
that they match each other, the prime candidate generation unit 
5 14 2C outputs the generated number "N" to the 1st primality testing 

unit 14 3C, and stores, in the generated information storage area, 
the received random number "Rl" as "R" . 
[0247] When determining that they do not match each other, the prime 

candidate generation unit 142C multiplies the random number "Rl" 
10 received from the random number generation unit 141 by 2, makes 

the result "Rl", and then generates the number "N = 2xRlxq+l" 
by conducting the above operation once again. 

When determining that the control information is not 
''Information C" — that is, determining that the control 
15 information is ''information AB", the prime candidate generation 

unit 142C separately reads the prime "q" and issue identifier 
information "IDI" from the information storage area of the 
information control unit 140C and the prime "qg" from the assigned 
prime storage area. 
20 [0248] The prime candidate generation unit 142C generates a prime 

"pIDI = gp(IDI, qg)'', by the method described above, using the 
read issue identifier information "IDI" and prime "qg" as well 
as the functions "f " and "gp^ stored in the function storage area, 
and stores the generated prime "pIDI" in the generated information 
25 storage area. 

The prime candidate generation unit 14 2C reads the prime 
"pIDI" stored in the generated information storage area, and 
generates a number "N « 2xRlxqxplDI+l" using the read prime "pIDI", 
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the received random number *R1" and the read prime xv q" . 
[0249] The prime candidate generation unit 142C judges whether a 

bit size "lenN" of the generated number M N" is xv 2xlenq". 

When determining that it is vv 2xlenq", the prime candidate 
generation unit 142C outputs the generated number X 'N" to the 1st 
primality testing unit 14 3C, and stores the received random number 
"Rl" in the generated information storage area as *R". 
[0250 ] . When determining that it is not "2xleilq" , the prime candidate 

generation unit 14 2C multiplies the random number "Rl" received 
from the random number generation unit 141C by 2, makes the result 
*R1", and generates the number M N" once again. 

1.10.1.6 1st Primality Testing Unit 143C 

Since the 1st primality testing unit 14 3C is the same as 
the 1st primality testing unit 143 of the first embodiment, the 
description is left out here. 
[0251] 1.10.1.7 2nd Primality Testing Unit 144C 

Since the 1st primality testing unit 144C is the same as 

the 1st primality testing unit 144 of the first embodiment, the 

description is left out here. 

1.10.2 Issue Public Key Determination Unit 214C 
Although not shown in the figure, a server information 

storage area 220C and a determination information storage area 

221C are included in the issue public key determination unit 214C. 

[0252] The server information storage area 220C has an area to store 

a server identifier which identifies a key issuing server having 

made an issue request of the public key certificate. 

The determination information storage area 221C stores in 

advance the prime vv qg" assigned to the key issuing server 100, 
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the prime's bit size >v lenqg" , and the functions vv gp" and *f " which 
are the same as the prime generation function and the injection 
function, respectively, stored in the key issuing server 100. 
53] The issue public key determination unit 214C receives, from 

the key issuing server 100 via the reception unit 217, the issue 
identifier information VN IDI", the public key "PK = (n, e)", the 
server identifier and the certificate issue request information. 

The issue public key determination unit 214C writes the 
received server identifier to the server information storage area 
220C. 

54] The issue public key determination unit 214C judges whether 

the public key VX PK" has been generated using the issue identifier 
information "IDI", using the received public key n PK" and the 
issue identifier information vv IDI ff . 

The determination method is explained here. First, the 
issue public key determination unit 214C generates the prime 
vv gp(IDI, qg)" using the received issue identifier information 
"IDI", the stored prime ' x qg" and the functions "gp" and xx f", and 
writes the generated prime xx gp(IDI, qg)" to the determination 
information storage area 221C. The generation method of the 
prime XN gp(IDI, qg)" is the same as the method described above, 
and therefore the description is omitted here. It can be seen 
that the prime "gp(IDI, qg)" generated by the issue public key 
determination unit 214C at this point is the same as the prime 
vv pIDI" generated by the prime candidate generation unit 14 2C of 
the key issuing server. 

55] Next, the issue public key determination unit 214C reads 

the prime u gp(IDI, qg)" stored in the determination information 
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storage area 221C, and examines whether vv n-l" is divisible by 
the read prime "gp( IDI , qg) " . Herewith, it can be determined that 
the public key "PK" has been generated using the issue identifier 
information " IDI " . 

When "n-1" is divisible by the prime "gp(IDI, qg)", the 
issue public key determination unit 214C determines that the 
public key "PK" has been generated using the issue identifier 
information "IDI" . On the other hand, when "n-1" is not divisible 
by the prime "gp(IDI, qg)"/ the issue public key determination 
unit 214C determines that the public key "PK" has not been 
generated using the issue identifier information "IDI". 

[0256] When determining that the public key "PK" has been generated 

using the issue identifier information "IDI", the issue public 
key determination unit 214C writes the received public key "PK" 
to the issue public key repository 211 while writing the issue 
identifier information to the issue identifier information 
repository 212. The issue public key determination unit 214C 
outputs, to the public key certificate generation unit 215, an 
order to start generating a public key certificate. 

The issue public key determination unit 214C terminates the 
process when determining that the public key "PK" has not been 
generated using the issue identifier information "IDI". 

[0257] 1.10 .3 Prime Genera tlon Process 

As to the prime generation process of the present modified 
example, the differences from the prime generation process shown 
in the first embodiment are described. Note that the operational 
flow is the same as in the first embodiment, and therefore the 
description is left out. 
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Step S425 of the prime generation process shown in FIG. 
15 is changed so that the random number generation unit 14 1C 
separately reads "lenq" stored in the information storage area 
of the information control unit 140C and xx lenqg" stored in the 
assigned prime storage area. Then, Step S430 is changed so that 
the random number generation unit 14 1C generates the random number 
"Rl" of (lenq-2xlenqg-l) bits using the read "lenq" and "lenqg", 
and outputs the generated random number XV R1" and the read control 
information to the prime candidate generation unit 142C. Here, 
the first bit of the random number "Rl" is 1. 
[0258] 1. 10. 4 Prime Candi da t e Genera tion Process 

The prime candidate generation process of the present 
modified example is described using the flow diagram shown in 
FIG. 25. 

Receiving the random number VV R1" and control information 
from the random number generation unit 141C (Step S700) , the prime 
candidate generation unit 14 2C judges whether the received 
control information is "Inf ormation C" (Step S705) . 
[0259] When determining that it is "information C" ( "YES" in Step 

S705) , the prime candidate generation unit 142C reads the prime 
"q" from the information storage area of the information control 
unit 140 (Step S710) . The prime candidate generation unit 142C 
generates a number "N = 2xRlxq+l" by using the read prime *q" 
and the random number "Rl" received from the random number 
generation unit 141C (Step S715) . The prime candidate generation 
unit 142C judges whether a bit size "lenN" of the generated number 
"N" matches "lenq" (Step S720) . When determining that they match 
each other ("YES" in Step S720), the prime candidate generation 
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unit 14 2C outputs the generated number "N" to the 1st primal ity 
testing unit 143C, and stores, in the generated information 
storage area, the received random number "Rl" as "R" (Step S755) . 

[0260] When determining that they do not match each other ("NO" 

in Step S720 ) , the prime candidate generation unit 142C multiplies 
the random number "Rl" received from the random number generation 
unit 141C by 2, makes the result "Rl" (Step S725), and then the 
process returns to Step S715 . 

When determining that the control information is not 
"Information C" ("NO" in Step S705) — that is, when determining 
that the control information is "Information AB" , the prime 
candidate generation unit 142C separately reads the prime "q" 
and the issue identifier information "IDI" from the information 
storage area of the information control unit 14 0C and the prime 
"qg" from the assigned prime storage area (Step S730) . 

0261] By the method described above, the prime candidate 

generation unit 142C generates the prime "pIDI = gp(IDI, qg)", 
using the read issue identifier information "IDI" and prime "qg" 
as well as the functions "f" and "gp" stored in the function 
storage area, and stores the generated prime "pIDI" in the 
generated information storage area (Step S735) . 

The prime candidate generation unit 14 2C reads the prime 
"pXDI" stored In the generated information storage area, and 
generates a number "N = 2XRlxqxpIDI+l" using the read prime "pIDI" , 
the read prime "q" , and the generated prime "pIDI" (Step S740) . 

0262] The prime candidate generation unit 142C judges whether a 

bit size "lenN" of the generated number "N" is "2xlenq" (Step 
S745) . 
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When determining that it is "2xlenq" ( VV YES" in Step S745), 
the prime candidate generation unit 14 2C outputs the generated 
number VV N" to the 1st primality testing unit 143C, and stores 
the random number "Rl" to the generated information storage area 
as "R" (Step S755) . 

[0263] When determining that it is not "2xlenq" ( vv NO" in Step S745) , 

the prime candidate generation unit 14 2C multiplies the random 
number "Rl" received from the random number generation unit 141C 
by 2, and makes the result *R1" (Step S750), and the process 
returns to Step S740. 

1.10.5 Certificate Issuing Process 

As to the certificate issuing process according to the 
present modified example, only the differences from the 
certificate issuing process shown in the first embodiment are 
described here. 

[0264] Step S660 is changed so that the issue public key 

determination unit 214C generates the prime *gp(IDI, qg)" using 
the received issue identifier information VN IDI" , the stored prime 
NV qg" and functions xv gp" and , and writes the prime "gp(IDI, 
qg) " to the determination information storage area 221C. In Step 
S665 , the issue public key determination unit 214C reads the prime 
vv gp(IDI, qg)" , and examines whether the public key "PK" has been 
generated using the issue identifier information U IDI" , using 
the received public key XX PK" and issue identifier information 
*IDI" as well as the read prime xx gp(IDl; qg)" . 

[0265] 1.10. 6 Examination of Prime Uniqueness and Determination 

Method 

According to the same proof described above, the uniqueness 



of the prime generated by the prime generation unit 116C is 
satisfied. That is, since different issue identifier 
information is generated with respect to each terminal, a 
generated prime is also different due to a property of the 
5 injection of the function vx f" used for the prime generation. 

Herewith, a different private key and a public key corresponding 
to the private key can be assigned with respect to each terminal. 
[0266] By the above-mentioned method, the certificate issuing 

server is capable of determining whether the key issuing server 
10 has properly generated the primes using the issue identifier 

information IDI . 

This is because, the primes vv pl" and ^p2", which are private 
keys, satisfy the following with the primes n ql" and >x q2", the 
random numbers *R11" and "R12", and the prime vv pIDI = gp(IDI, 
15 qg)": vv pl = 2XqlXpIDlXRll+l" and "p2 = 2Xq2xpIDIXR12+l" . 

Therefore, the following equalities are obtained: 

n = plxp2 = (2xqlxpIDlxRll+l)X(2xq2xpIDIXR12+l) 

= pIDIX( 4XqlXq2XRllXRl2xpIDI+2XqlXRll+2xq2XRl2 ) +1 . 
Accordingly, the certificate issuing server is capable of 
20 determining whether the key issuing server has properly generated 

the primes vx pl" and *p2" using the issue identifier information 
IDI by examining >x n-l" being divisible by "pIDI" . 
[0267] 1.10.7 Modifications 

It is a matter of course that the present invention is not 
25 confined to the above embodiment and modified examples, arid the 

following cases are also within the scope of . the present 
invention . 

In the above modified examples, a single prime vx qg" is 
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stored in advance; however, the present invention is not confined 
to this. The key issuing server may store in advance two primes 
"qgl" and "qg2". Then, the key issuing server uses the primes 
"qgl" and "qg2" when generating the primes "pi" and "p2", 
respectively. 

[0268] Furthermore, in the above modified examples, "pIDI" used 

to generate the prime "pi" is the same as "pIDI" used to generate 

the prime "p2"; however, the present invention is not confined 

to this. . For example, the value of "c" used to generate the prime 

.... r. 
"pi" and the value of "c" used to generate the prime "p2" are 

set to be different from each other so as to make the values of 

"pIDI" used to generate' the primes "pi" and "p2" different from 

each other. 

[0269] 2. SECOND EMBODIMENT 

A key issuing system 2 of the second embodiment according 
to the present invention is described, focusing on differences 
from the key issuing system 1 of the first embodiment. 

2.1 OVERVIEW OF KEY ISSUING SYSTEM 2 

As shown in FIG. 26, the key issuing system 2 comprises: 
key issuing servers 1100, 1101 and 1102; a key issue audit server 
1200; terminals 1300, 1301, 1302, 1303, 1304, 1305, and 
1306. The number of the terminals is, for example, a thousand. 
[0270] Each of the key issuing servers 1100, 1101 and 1102 is managed 

by a different company. The terminals 1300, 1301, and 1302 
individually request the key issuing server 1100 to issue a key. 
In the same manner, the terminals 1303, and 1304 individually 
request the key issuing server 1101 to issue a key, while the 
terminals 1305, and 1306 individually request the key issuing 
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server 1102 to issue a key. Note that the terminals 1300, 1301, 
and 1302 respectively have safe communication pathways with 
the key issuing server 1100. And in the same way, safe 
communication pathways are established between the key issuing 
5 server 1101 and the respective terminals 1303, and 1304 as 

well as between the key issuing server 1102 and the respective 
terminals 1305, and 1306. 
[0271] in like fashion, each of the key issuing servers 1100, 1101 

and 1102 also has a safe communication pathway with the key issue 
10 audit server 1200. 

Note that the following describes the overview of the key 
issuing system 2, using the key issuing server 1100, key issue 
audit server 1200 and terminal 1300. 

Receiving a key issue request from the terminal 1300, the key 
15 issuing server 1100 generates a private key and a public key with the 

RSA encryption. In addition, the key issuing server 1100 generates a 
public key certificate corresponding to the generated public key, and 
transmits the generated public key certificate and private key to the 
terminal 1300. Here, assume that the key length of each key to be 
20 generated is 1024 bits. 

[0272] Receiving issued-key request information which requests an 

issued public key and issue identifier information, the key 
issuing server 1100 transmits, to the key issue audit server 1200, 
issued- key information made up of the issued public key and issue 
2 5 identifier information used to generate the public key. 

Receiving the issued public key information from the key 
issuing server 1100, the key issue audit server 1200 audits the 
validity of the issued public key, and displays the audit result. 
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[0273] Receiving the public key certificate and the private key 

from the key issuing server 1100, the terminal 1300 stores therein 
the received public key certificate and private key. 

Subsequently, the user of the terminal 1400, for example, 
first obtains the public key certificate of the terminal 1300 
from the key issuing server 1100, or from the terminal 1300, and 
examines the validity of the public key certificate, using a 
public key AV C_PK" held by the key issuing server 1100 . When the 
public key certificate is determined as valid, the obtained public 
key certificate is stored in the terminal 1400 . The terminal 1400 
encrypts an e-mail to be transmitted to the terminal 1300, using 
the public key included in the stored public key certificate, 
and transmits the encrypted e-mail to the terminal 1300. 
[0274] Receiving the encrypted e-mail from the terminal. 1400, the 

terminal 1300 decrypts the encrypted e-mail, using the stored 
private key, and displays the decrypted e-mail. 

Herewith, a safe exchange of data can be achieved between 
the terminals 1300 and 1400. 
[027 5] Note that, since each of the terminals 1301, and 1302 

is the same as the terminal 1300, the descriptions are left out 
here. In addition, each of the key issuing servers 1101 and 1102 
is the same as the key issuing server 1100, the descriptions are 
left out here. 

In the following explanation, the terminal 1300 is used as 
a representative terminal while the key issuing server 1100 being 
used as a representative key issuing server. 
[0276] 2.2 STRUCTURE. OF KEY ISSUING SERVER 1100 

The key issuing server 1100, as shown in FIG. 27, comprises: 
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an identifier repository 1110; a private key repository 1111; 

a public key repository 1112; a certificate repository 1113; a 

control unit 1114; an identifier generation unit 1115; a prime 

generation unit 1116; a key judgment unit 1117; a key generation 
5 unit 1118; an information acquisition unit 1119; a reception unit 

1200 ; a transmission unit 1121; a certificate generation unit 

1122 ; a certificate private key repository 1123 ; and an issued-key 

information repository 1124 . 
[0277] The key issuing server 1100 is, specifically speaking, a 

10 computer system composed of a microprocessor, ROM, RAM, a hard 

drive unit, a display unit, a keyboard, a mouse, and the like. 

A computer program is stored in the RAM or the hard drive unit. 

The microprocessor operates according to the computer program, 

and thereby the key issuing server 1100 achieves the function. 
15 [027 8] Note that, since each of the key issuing servers 1101 and 

1102 has the same structure as the key issuing server 1100, the 

descriptions are left out here. 

2.2.1 Identifier Repository 1110 

The identifier repository 1110 has an area to store issue 
20 identifier information, having a bit size of 126 bits or less, 

as in the case of the identifier repository 110 of the first 
. embodiment. The bit size of the issue identifier information is 
64 bits, for example. 
[0279] 2.2.2 Private Key Repository 1111 

2 5 As in the case of the private key repository 111 of the first 

embodiment, the private key repository 1111 has a prime storage 
area and a private key storage area. 

2.2.3 Public Key Repository 1112 
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The public key repository 1112 has an area to store a public key, 
as in the case of the public key repository 112 of the first embodiment. 
[0280] 2.2.4 Certificate Repository 1113 

The certificate repository 1113 has an area to store a public key 
certificate generated by the certificate issuing server. 

2.2.5 Certificate Private Key Repository 1123 

The certificate private key repository 1123 stores in 
advance a certificate private key XX C_SK" used to generate a public 
key certificate. 
[0281] 2.2.6 Control Unit 1114 

The control unit 1114 , as shown in FIG . 27 , has a server identifier 
storage area 1130 and a terminal information storage area 1131, 

The server identifier storage area 1130 stores in advance 
a sever identifier which identifies the server itself. For 
example, in the case of the key issuing server 1100, SIDA is stored 
therein, while SIDB and SIDC are stored in the server identifier 
storage area 1130 of the key issuing servers 1101 and 1102, 
respectively. Note that the following description is given with 
the server identifier of the key issuing server 100 being VX SID". 
Here, the bit size of the server identifier is 31 bits. 
[0282] The terminal information storage area 1131 has an area to 

store a terminal identifier that identifies a terminal having 
requested a key issue. Here, the terminal identifier is, for 
example, a serial number of the terminal. The bit size of the 
serial number is here 32 bits. 

Receiving, from the terminal 1300 via the reception unit 
1120, key issue request information and a terminal identifier 
NX TID" of the terminal 1300, the control unit 1114 writes the 
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received terminal identifier XX TID" to the terminal information 
storage area 1131. The control unit 1114 outputs an order to 
generate issue identifier information and the received terminal 
identifier "TID" to the identifier generation unit 1115. 
[0283] Receiving issued-key request information from the key issue 

audit server 1200 via the reception unit 1120, the control unit 
1114 outputs an order to acquire key information to the 
information acquisition unit 1119 . 

2.2.7 Identifier Generation Unit 1115 

Since the identifier generation unit 1115 is the same as 
the identifier generation unit 115 of the first embodiment, the 
description is left out here. 
[0284] 2.2.8 Prime Generation Unit 1116 

The prime generation unit 1116 generates a 512 -bit prime 
in the same manner as the prime generation method of the prime 
generation unit 116 according to the first embodiment. 

2.2.9 Key Judgment Unit 1117 

Since the key judgment unit 1117 is the same as the key 
judgment unit 117 of the first embodiment, the description is 
left out here. 
[0285] 2.2.10 Key Generation Unit 1118 

Receiving the key generation order from the key judgment 
unit 1117, the key generation unit 1118 reads two primes xx pl" 
and ^ x p2" stored in the prime storage area of the private key 
repository 1111, and calculates the product "n" of the read primes 
vv pl" and vv p2" — i.e. "n = plxp2". 

The key generation unit 1118 generates a random number xv e", 
further generates, as a public key, a combination VX PK = (n, e)" 
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made up of the calculated "n" and the generated random number 
"e", and then writes the generated public key "PK" to the public 
key repository 1112. Here, the random number vv e" is coprime to 
the number "L", as in the conventional technique, and satisfies 
"l<e<L-l, GCD ( e , L) = 1" . Here, GCD ( e , L) is the greatest common 
divisor of e and L. The number XX L" is found by XX L = LCM(pl-l, 
p2-l)", where LCM(pl-l, p2-l) is the least common multiple of 
"pl-1" and xx p2-l" . 

The key generation unit 1118 calculates xx d" satisfying xx exd 
= 1 mod L", and writes, as a private key, a combination XX SK = 
(pi, p2, d)" made up of the calculated xx d", and the primes xx pl" 
and xx p2" to the private key storage area of the private key 
repository 1111. The key generation unit 1118 outputs, to the 
certificate generation unit 1122, an order to generate a public 
key certificate. 
[0286] 2.2.11 Certificate Generation Unit 1122 

Receiving the order to generate a public key certificate 
from the key generation unit 1118, the certificate generation 
unit 1122 separately reads the certificate private key XX C_SK" 
from the certificate private key repository, the public key XX PK" 
from the public key repository 1112, and issue identifier 
information XX IDI" from the identifier repository 1110. 
0287] The certificate generation unit 1122 generates a public 

key certificate "Cert" , using the read private key XX C_SK" , public 
key XX PK" and issue identifier information *IDI". Specifically 
speaking, the public key certificate xx Cert" to be generated is 
"Cert = n| |e| | IDI | |Sig(C_SK, n||e||IDI)". Here, Sig(K, D) is 
signature data of when a private key VX K" is used with respect 



to data VV D" . Here, the symbol *| |" denotes a bit join or byte 
join. 

[0288] The certificate generation unit 1122 writes the generated 

public key certificate NX Cert" to the certificate repository 1113 , 
and outputs, to the information acquisition unit 1119, a 
distribution start order to the information acquisition unit 
1119. 

2.2.12 Information Acquisition Unit 1119 
Receiving the distribution start order form the certificate 
generation unit 1122, the information acquisition unit 1119 
separately reads the private key VX SK" stored in the private key 
repository 1111, the public key certificate xx Cert" stored in the 
certificate repository 1113, and the terminal identifier stored 
in the terminal information storage area 1131 of the control unit 
1114 . Then, the information acquisition unit 1119 transmits, via 
the transmission unit 1121, the read private key VX SK" and public 
key certificate *Cert" to the terminal 1300 corresponding to the. 
read terminal identifier. 

0289] After transmitting the private key VV SK" and the public key 

certificate vx Cert" to the terminal 1300 via the transmission unit 
1121, the information acquisition unit 1119 separately reads the 
issued public key U PK = (n, e)" from the public key repository 
1112 and the issued issue identifier information "IDI" from the 
identifier repository 1110, and writes the read public key "PK" 
and issue identifier information U IDI" to the issued-key 
information repository 1124 as one combination. 

0290] Receiving an order to acquire key information from the 

control unit 1114, the information acquisition unit 1119 reads 
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all the pieces of issued-key information from the issued-key 
information repository 1124 . The information acquisition unit 
1119 reads the server identifier from the server identifier 
storage area 1130 of the control unit 1114, and transmits all 
the read pieces of issued-key information and the server 
identifier to the key issue audit server 1200 via the transmission 
unit 1121. 

[0291] 2.2.13 Issued-key Information Repository 1124 

The issued-key information repository 1124 has an issued-key 

information table T1100 as shown in FIG. 28. 

The issued-key information table T1100 has an area to store at 

least one combination made up of an issued public key and an issued 

identifier information piece. 
[0292] The issued public key is a public key having been issued 

by the key issuing server 1100, while the issued identifier 

information piece is a piece of issued identifier information 

used to generate a public key and a private key corresponding 

to the public key. 

Herewith, the key issuing server 1100 is capable of 

accumulating issued public keys and pieces of issued identifier 

information. 

[0293] Note that, since being used to store issue history that is 

issued public key information, the issued-key information 
repository 1124 has to be nonvolatile memory (e.g. a hard disc) , 
in which data is not erased even when the power is turned off. 
2.2.14 Reception Unit 1120 

The reception unit 1120 receives information from the key 
issue audit server 1200 and the terminal 1300, and outputs the 
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received information to the control unit 1114 . 
[0294] , 2.2.15 Transmission Unit 1121 

Receiving the private key "SK" and the public key certif icate 
v Cert" from the information acquisition unit 1119, the 
transmission unit 1121 transmits individual information to the 
terminal 1300. 

Receiving one or more pieces of issued- key information and 
the server identifier from the information acquisition unit 1119, 
the transmission unit 1121 transmits the received one or more 
pieces of issued- key information to the key issue audit server 
1200. 

[0295] 2.3 Key Issue Audit Server 1200 

The key issue .audit server 1200, as shown in FIG. 29, 
comprises: a determination information repository 1210; an 
issued-key information repository 1211; a control unit 1212; an 
issue public key determination unit 1213; an accepting unit 1214; 
an audit result output unit 1215; a reception unit 1216; and a 
transmission unit 1217 . 

The key issue audit server 1200 is, specifically speaking, a 
computer system composed of a microprocessor, ROM, RAM, a hard drive 
unit, a display unit, a keyboard, a mouse, and the like. A computer 
program is stored in the RAM or the hard drive unit . The microprocessor 
operates according to the computer program, and thereby the key issue 
- audit server 1200 achieves the function. 
[0296] Note that the key issue audit server 1200 conducts the same 

operations when receiving the issued-key information from the 
key issuing server 1100 and from other key issuing servers. And 
therefore, in the following description, issued-key information 
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transmitted from the key issuing server 1100 is used, 
2.3.1 Determination Information Repository 1210 
. The determination information repository 1210 has a 
verification value table T1200 as shown in FIG. 30. The 
verification value table T1200 has an area to store at least one 
combination made up of a server identifier, and 1st and 2nd 
verification values . The server identifier is an identifier that 
identifies a key issuing server. "SIDA" indicates the key issuing 
server 1100, while "SIDB" and VV SIDC" indicating the key issuing 
servers 1101 and 1102 , respectively . The 1st and 2nd verification 
values are verification values assigned to the key issuing servers 
indicated by associated server identifiers. Note that the 
following description is given, assuming that the server 
identifier of the key issuing server 1100 is "SID" . 
0297] 2.3.2 Issued Key Information Repository 1211 

The issued-key information repository 1211 has an area to 
store one or more pieces of issued-key information transmitted 
from the key issuing server 1100. 
2.3.3 Control Unit 1212 

The control unit 1212 has a servier information storage area 
1220 as shown in FIG. 29. 
0298] The server information storage area 1220 has an area to store 

server identifiers , each of which identifies a key issuing server 
having requested a public key certificate issue . 

Receiving, from the accepting unit 1214, an audit start order to 
start auditing the public key and an audit -target server identifier 
(here, it is "SID"), the control unit 1212 transmits, via the 
transmission unit 1217, issued-key request information to the key 



issuing server 1100 corresponding to the server identifier. 
[0299] The control unit 1212 writes the server identifier received 

from the accepting unit 1214 to the server information storage 
area 1220. 

The control unit 1212 receives one or more pieces of 
issued-key information and the server identifier from the key 
issuing server 1100 via the reception unit 1216. 

The control unit 1212 judges whether the received server 
identifier matches the server identifier stored in the server 
information storage area. 
[0300] When determining that they match each other, the control 

unit 1212 writes the -received one or more pieces of issued-key 
information to the issued-key information repository 1211, and 
outputs an audit start order and the received server identifier 
to the issue public key determination unit 1213 . 

When determining that they do not match each other, the control 
unit 1212 terminates the process. 

2.3.4 Issue Public Key Determination Unit 1213 
[0301] Receiving the audit start order and the server identifier 

from the control unit 1212, the issue public key determination 
unit 1213 reads corresponding 1st and 2nd verification values 
"ell" and NV cl2" from the determination information repository 
- >- 1210, using the received server identifier. 

The issue. public key determination unit 1213 reads one piece 
from among unread issued-key information from the issued-key 
information repository 1211. 

The issue public key determination unit 1213 judges whether 
the public key "PK" has been generated using the issue identifier 
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information "IDI", using the public key *PK" included in the read 
piece of issued-key information, the issue identifier 
information U IDI", and the 1st and 2nd verification values u cll" 
and *cl2" . 

5 [0302] Here, since the determination method is the same as in the 

first embodiment, the description is left out. 

When *n- (cllxcl2) " is divisible by XX IDI", the issue public 
key determination unit 1213 determines that the public key VV PK" 
has been generated using the issue identifier information VV IDI" . 

10 On the other hand, when xx n- (cllxcl2) " is not divisible by *IDI", 

the issue public key determination unit 1213 determines that the 
public key "PK" has been generated, not using the issue identifier 
information* "IDI" and temporarily stores the read issue 
identifier information V 'IDI" . 

15 [0303] The issue public key determination unit 1213 judges whether 

there is unread issued-key information. When determining that 
there is unread issued-key information, the issue public key 
determination unit 1213 repeats the above operation. When 
determining that there is no unread issued-key information, the 

20 issue public key determination unit 1213 then judges whether there 

is temporarily stored issue identifier information. 

When deterrnining that there is temporarily stored issue identifier 
information, the issue public key determination unit 1213 generates 
an invalid issue identifier information group by linking the all the 

2 5 stored issue identifiers, and outputs the generated invalid issue 

identifier information group to the audit result output unit 1215. 
[0304] When determining that there is no temporarily stored issue 

identifier information, the issue public key determination unit 
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1213 outputs, to the audit result output unit 1215, a validity 
message indicating that the validity of all public keys is 
determined. 

2.3.5 Accepting Unit 1214 

Accepting a direction of starting audit and a server 
identifier of an audit- target key issuing server > the accepting 
unit 1214 outputs an audit start order and the server identifier 
to the control unit 1212. 
[0305] 2.3.6 Audit Result Output Unit 1215 

Receiving the invalid issue identifier information group from the 
issue public key determination unit 1213, the audit result output unit 
1215 outputs the received invalid issue identifier information group 
to the monitor 1250. 

Receiving the validity message from the issue public key 
determination unit 1213 , the audit result output unit 1215 outputs the 
received validity message to the monitor 1250. 
[0306] Note that the monitor 1250 displays information received 

from the audit result output unit 1215. 

2.3.7 Reception Unit 1216 

Receiving one or more pieces of issued- key information and 
the server identifier from the key issuing server 1100, the 
reception unit 1216 outputs the received one or more issued- key 
information and server identifier to the control unit 1212. 
[0307] 2.3.8 Transmission Unit 1217 

Receiving issued- key request information from the control 
unit 1212, the transmission unit 1217 transmits the received 
issued-key request information to the key issuing server 1100. 

2.4 STRUCTURE OF TERMINAL 1300 
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The terminal 1300 is the same as the terminal 300 of the first 
embodiment, and therefore the description is left out. 
[0308] Note that, since each of the terminals 1301, 1302, 1303, 

1304, 1305, and 1306 is the same as the terminal 300, their 
descriptions are omitted. 

2.5 OPERATION OF KEY ISSUING SYSTEM 2 

The operation of the key issuing system 2 is described here. 
2.5.1 Overview of Operation of Key Issuing System 2 
Here is described the overview of operation of the key issuing 
system 2 . 

[0309] The following shows an overview of operation of when the 

key issuing server 1100 issues a key to the terminal 1300. 

The following description is given, defining one or more 
pieces of issued-key information as an issued-key information 
group. 

2.5.1.1 Overview of Operation for Key Issue 
The overview of operation for a key issue is described next, using 
a flow diagram shown in FIG. 31. 
[0310] Accepting a direction of key issue .request by a user 

operation, the terminal 1300 transmits key issue request 
. information and the terminal identifier U TID" to the key issuing 
server 100 (Step S1000) . 

Receiving the key issue request information and the terminal 
identifier %V TID" from the terminal 1300, the key issuing server 
1100 generates a private key and a public key in the key issuing 
process (Step S1005), issues a public key certificate for. the 
public key generated in Step S1005 in the certificate issuing 
process, and transmits the issued public key certificate and the 
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private key generated in Step S1005 to the terminal 1300 (Step 
S1010) . 

Receiving the private key XV SK" and the public key certificate 
XN Cert" from the key issuing server 1100, the terminal 1300 stores 
the received private key "SK" and the public key certificate 
"Cert" therein (Step S1015). 
[0311] 2.5.1.2 Overview of Operation for Key Audit 

The overview of operation for key audit is described next, 
using a flow diagram shown in FIG. 32. 

The key issue audit server 1200 transmits issued-key request 
information to the key issuing server 1100 in the audit process 
(Step S1050) 

The key' issuing server 1100 transmits the issued-key 
information group acquired in the key information acquisition 
process and the server identifier to the key issue audit server 
1200 (Step S1055) . 
[0312] 2.5.2 Key Issuing Process 

As to the operation of the key issuing process shown in FIG. 
31, only differences from that of the first embodiment are 
explained here, using the flow diagrams shown in FIGs . 11, 12, 
13 and 14. 

The key issuing process according to the present embodiment 
performs Steps S200 to 325 shown in FIGs. 11, 12 and 13. 
[0313] As- to. the . key issuing process of the present embodiment, 

Step S330 shown in FIG. 13 is changed so that the key generation 
unit 1118 writes, as a private key, a combination XX SK = (pi, p2, 
d) " to the private key storage area of the private key repository 
1111, and outputs an order to generate a public key certificate 



to the certificate generation unit 1122. 

The key issuing process of the present embodiment is 
terminated after the modified Step S330 is executed. 
0314] 2.5.3 Certificate Issuing Process 

Here is described the operation of the certificate issuing 
process shown in FIG. 31 , using a flow diagram of FIG. 33. 

Receiving the order to generate a public key certificate 
from the key generation unit 1118, the certificate generation 
unit 1122 separately reads the certificate private key "C_SK" 
from the certificate private key repository, the public key "PK" 
from the public key repository 1112, and the issue identifier 
information "IDI" from the identifier repository 1110 (Step 
SHOO) . 

0315] The certificate generation unit 1122 generates the public 

key certificate "Cert" , using the read private key "C_SK" , public 
key "PK" and issue identifier information "IDI", writes the 
generated public key certificate "Cert" to the certificate 
repository 1113, and outputs a distribution start order for the 
public key certificate "Cert" to the information acquisition unit 
1119 (Step S1105) . 

Receiving the distribution start order from the certificate 
generation unit 1122, the information acquisition unit 1119 
separately reads the private key "SK" stored in the private key 
repository 1111, the public key certificate "Cert" stored in the 
certificate repository 1113, and the terminal identifier stored 
in the terminal information storage area of the control unit 1114, 
and transmits, via the transmission unit 1121, the read private 
key "SK" and public key certificate "Cert" to the terminal 1300 



corresponding to the read terminal identifier (Step S1110). 
[0316] The information acquisition unit 1119 separately reads the 

public key "PK = (n, e)" issued from the public key repository 
1112 and the issue identifier information VV IDI" issued from the 
identifier repository 1110, and writes the read public key VV PK" 
and issue identifier information XX IDI" to the issued-key 
information repository 1124 as one combination (Step S1115) . 
2.5.4 Key Information Acquisition Process 
Here is described the operation of the key information 
acquisition process shown in FIG. 32; using a flow diagram of 
FIG. 34. 

[0317] Receiving the issued request information from the key issue 

audit server 1200 via the reception unit 1120, the control unit 
1114 of the key issuing server 1100 outputs a key information 
acquisition order to the information acquisition unit 1119 (Step 
S1200). 

Receiving the key information acquisition order from the control 
unit 1114, the information acquisition unit 1119 of the key issuing 
server 1100 reads all the pieces of issued-key information from the 
issued-key information repository 1124 (Step S1205) . 
[0318] The information acquisition unit 1119 reads the server 

identifier from the server identifier storage area 1130 of the 
control unit 1114, and transmits the read issued-key information 
group and server identifier to the key issue audit server 1200 
via the transmission unit 1121 (Step S1210) . 
2.5.5 Audit Process 

Here is described the operation of the audit process shown 
in FIG. 32, using a flow diagram of ^FIG. 35. 



[0319] Accepting an audit start direction and a server identifier 

of an audit -target key issuing server by a user operation, the 
accepting unit 1214 of the key issue audit server 1200 outputs 
an audit start order and the server identifier to the control 
unit 1212 (Step S1300) . 

Receiving the audit start order to start auditing the public 
key and the audit- target server identifier (here, it is "SID") 
from the accepting unit 1214, the control unit 1212 transmits 
issued-key request information to the key issuing server 1100 
corresponding to the server identifier via the transmission unit 
1217 (Step S1305) . 
[0320] The control unit 1212 writes the server identifier received 

from the accepting unit 1214 to the server information storage 
area 1220 (Step S1310). 

The control unit 1212 receives one or more pieces of 
issued-key information and the server identifier from the key 
issuing server 1100 via the reception unit 217 (Step S1315) . 

The control unit 1212 judges whether the received server 
identifier matches the server identifier stored in the server 
information storage area (Step S1320) . 
[0321] When determining that they match each other ("YES" in Step 

S1320), the control unit 1212 writes the received one or more 
pieces of issued-key information to the issued-key information 
repository 1211 , and outputs an audit start order and the received 
server identifier to the issue public key determination unit 1213 
(Step S1325) . 

The issue public key determination unit 1213 examines the validity 
of the public key in the determination process , and displays the result 
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on the monitor 1250. 
[0322] When determining that they do not match each other ( xv NO" 

in Step S1320), the control unit 1212 terminates the process. 
2.5.6 Determination Process 

Here is described the determination process shown in FIG. 
35 , using a flow diagram of FIG. 36. 

[0323] Receiving the audit start order and the server identifier 

from the control unit 1212, the issue public key determination 
unit 1213 reads corresponding 1st and 2nd verification values 
xx cll" and "cl2" from the determination information repository 
1210, using the received server identifier (Step S1400) . 

The issue public key determination unit 1213 reads one piece 
of unread issued-key information from the issued-key information 
repository 1211 (Step S1405) . 

[0324] The issue public key determination unit 1213 examines 

whether the public key "PK" has been generated using the issue 
identifier information XX IDI" by using the public key "PK" and 
the issue identifier information XX IDI" included in the read piece 
of issued-key information as well as the 1st and 2nd verification 
values u cll" and xx cl2" (Step S1410). Note that,, since the 
determination method is the same as in the first embodiment, the 
description is left out here. 
[0325] When determining that xv n- (cllxcl2 ) " is not divisible by 

"IDI" — i.e. when determining that the public key is invalid ( xv NO" 
in Step S1410), the issue public key determination unit 1213 
temporarily stores the read issue identifier information *IDI" 
(Step S1415) . 

When determining that xv n- ( cllxcl2 ) " is divisible by 
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"IDI" — i.e. when determining that the public key is valid ( XX YES" 
in Step S1410) , the issue public key determination unit 1213 omits 
Step S1415. 

[0326] The issue public key determination unit 1213 judges whether 

there is unread issued-key information (Step S1420) . When the 
issue public key determination unit 1213 determines that there 
is unread issued information ( ^ YES" in Step S1420), the process 
returns to Step S1405. 

When determining that there is no unread issued-key 
information pNO" in Step S1420), the issue public key 
determination unit 1213 judges whether there is temporarily 
stored issue identifier information (Step S1425) . 

[0327] When determining that there is temporarily stored issue 

) 

identifier information ("YES" in Step S1425), the issue public 
key determination unit 1213 generates an invalid issue identifier 
information group by linking all the stored issue identifiers, 
and displays the generated invalid issue identifier information 
group on the monitor 1250, via the audit result output unit 1215 
(Step S1430) . 

When determining that there is no temporarily stored issue 
identifier information ("NO" in Step S1425), the issue public 
key determination unit 1213 displays, on the monitor 1250 via 
the audit result output unit 1215, a validity message indicating 
that the validity of all the public keys is determined (Step 
S1435) . 
[0328] 3 . SUMMARY 

The prime information generation unit 133 of the prime 
generation unit 116 in the key issuing server 100 shown in the 



above first embodiment generates a 512-bit prime from an 8-bit 
prime by repeating the operation illustrated in FIG. 37. 

The prime information generation unit 133 generates a 16 -bit 
prime from an 8-bit prime (Step S1700), and generates a 32-bit 
prime from the generated 16 -bit prime (Step S1705) . Subsequently, 
in a similar fashion, the prime information generation unit 133 
in turn generates a 64 -bit prime from the 32 -bit prime, a 128 -bit 
prime from the 6 4 -bit prime, and a 2 56 -bit prime from the 128 -bit 
prime (Steps S1710, S1715 and S1720) . Then, at the end, a 516-bit 
prime is generated from the generated 256 -bit prime (Step S1725) . 
[0329] Up to the generation of a 128 -bit prime starting from an 

8-bit prime, the prime generation unit 116 generates those primes 
in a generation method similar to the conventional technique, 
according to the control information ^Information C" . 

In Step S1720, the prime generation unit 116 generates a 
25 6 -bit prime using the injection function xv f" according to the 
control information ^Information B" so that the generated prime 
is to be unique to the issue identifier information "IDI". 
[0330] In Step S1725, the prime generation unit 116 generates a 

512 -bit prime in which the issue identifier information "IDI" 
is embedded, according to the control information "Information 
A" so that the validity of the generated prime can be determined. 

Thus, by using the injection function "f", the key issuing 
server 100 is capable of generating a different private key and 
public key with respect to each terminal. In addition, when a 
512 -bit prime is generated from a 256 -bit prime in the key issuing 
server 100, the issue identifier information "IDI" is embedded 
in the generated prime. As a result, the certificate issuing 
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server 200 is capable of determining the validity of the public 
key, using the generated public key and the issue identifier 
information . 

[0331] Note that, also in the second embodiment, the key issuing 

server 1100 can generate a different private key and public key 
for each terminal by using the injection function NN f", as 
described above . Additionally, when a 512 -bit prime is generated 
from a 256-bit prime in the key issuing server 1100, the issue 
identifier information " V IDI" is embedded in the generated prime. 
As a result, the key issuing audit server 1200 is capable of 
determining the validity of the public key, using the generated 
public key and the issue identifier information. 

[0332] . According to the first embodiment, the key issuing server 100 
achieves, by using the injection function vv f", generating primes whose 
disparity is assured without a comparison between them, even when the 
prime generation is performed multiple times. 

Accordingly, it can be proved, without the need for 
comparison, that primes generated multiple times do not conform 
to each other 

According to the first embodiment above, as a result that 
the key issuing server 100 embeds the issue identifier information 
*IDI" in the prime to be generated, the certificate issuing server 
• 200 is capable of determining whether a key has been properly 
issued by examining the generated prime being divisible by the 
issue identifier information VV IDI" or not. 
[0333] There is conventionally a key issuing system having a single key 

issuing server. However, if the number of users increases, the 
computational effort also increases due to performing exponentiation 



multiple times for the prime generation, and as a result, a longer time 
is required for the computation. Given this factor, it is sometimeis 
the case that the computational effort is dispersed by providing 
multiple key issuing servers and making each handle key issuing. 
However, as to the conventional key issuing system having multiple key 
issuing servers, two users, for example, may have the same prime as 
their keys. In such a situation, the safety of the encryption is 
significantly reduced. For example, assume that the primes of User A 
are pAl and pA2, and nA = pAlxpA2 while the primes of User B are pBl 
and pB2, and nB = pBl>£>B2. At this point, if pAl = pBl, User A can find 
that one of the User B's primes is equal to pAl by calculating GCD(pAl, 
nB) . As a result, by calculating nB/pAl, User A can also obtain pB2. 
The safety of an RSA encryption system is based on prime factorization, 
and therefore , the decoding is very easy once a prime factor is revealed . 
Therefore, User A is capable of decrypting encrypted texts using the 
public key of User B. In like fashion, User B can decrypt encrypted 
texts using the User A's public key. 

In the conventional technique, there is a possibility that 
primes conform to each other when the prime generation is 
performed multiple times, and as a result, the safety of the 
encryption is significantly reduced. In order not to reduce the 
safety, whether the primes conform to each other or not can be 
determined by comparing an issued key with a previously- issued 
prime (a private key) . However, in a conventional public key 
encryption system, although a public key after being issued is 
managed at the key issuing server, a private key is often deleted 
since being highly confidential. Therefore, it is necessary to 
newly manage the issued prime (i.e. private key) . Furthermore, 
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when the number of issued primes reaches around a billion, it 
takes an awfully long time to perform the comparison, which is 
impractical . 

[0335] Additionally , when multiple key issuing servers perform key issues , 

it is necessary that the individual key issuing servers have to check 
each other ' s issued primes — i . e . private keys — so that the primes issued 
by all the key issuing servers do not conform to one another. There 
is no problem when the individual key issuing servers have a trusting 
relationship with each other; however, it is often the case that key 
issuing servers are individually set by different companies, and 
therefore, the relationships cannot always be trusted. Furthermore, 
even if key issuing servers maintain trusting relationships with each 
other, the volume of. communication between each key issuing server 
becomes large since the database of the private key in each key issuing 
server is accessed in every key issue. Thus, it is also impractical 
that the individual key issuing servers check each other's issued 
primes . 

[0336] By using the key issuing server of the present invention, it can 

be proved, without the need for comparison, that primes generated 
multiple times do not conform to each other, even when the prime 
generation is performed multiple times. 
3 . 1 Modi fi ca tions 

The present invention has been described based on the first 
and second embodiments and Modified Examples 1, 2 and 3 of the 
prime generation; however, it is matter of course that the present 
invention is not confined to these. The following cases are also 
within the scope of the present invention. 
[03 37] (1) The issue identifier information NV IDI" above is made . 



up of a join of a server identifier, a terminal identifier, and 
the number "1"; however, the present invention is not limited 
to this. "IDI" may be generated using a server identifier and 
an issue identifier "PID" generated by a counter. Here, the issue 
identifier *PID" is an odd number assigned in the order of issue 
starting from 1. Here, the identifier generation unit 115 
becomes capable of readily generating a different prime for each 
time by increasing the issue identifier VV PID" by vx 2" every time 
of a prime issue (generation). 
[0338] (2) An injection function is applied above when a 256 -bit prime 

is generated from a 12 8 -bit prime; however, the present invention is 
not confined to this. The application of the injection function can 
be made at any step before the issue identifier information is embedded. 

For example, the injection function may be applied when a 
16 -bit prime is generated from an 8 -bit prime. Alternatively, 
the injection function may be applied when a 32-bit prime is 
generated from a 16 -bit prime. In a similar fashion, the 
injection function may be applied when a 64 -bit prime is generated 
from a 32-bit prime, or when a 128-bit prime is generated from 
a 64 -bit prime. 

[0339] Note however that the number of bits of the issue identifier 

XV IDI" is smaller than the number of bits of the prime xx q" used 
for input, and the number of bits of the random number "Rl" is 
(lenq-lenIDI-1) bits while the number of bits of the number "R" 
is (lenq-1) bits. 

(3) The prime generation . unit 116 of the first embodiment 
may be a single prime generating apparatus. Here, when the issue 
identifier information VV IDI" and its bit size "lenlDI" are given, 



the prime generating apparatus generates a 512 -bit prime from 
the given "IDI" and bit size xv lenIDI" together with an 8 -bit prime 
stored in advance. 

[0340] Additionally, in the same way, the prime generation unit 

1116 of the second embodiment may be formed as a single prime 
generating apparatus . 

(4) The prime generation unit 116 of the first embodiment 
may be composed of : a 1st prime generation unit for generating 
a 128 -bit prime from an 8 -bit prime stored in advance; a 2nd prime 
generation unit for generating a 512 -bit prime from a 12 8 -bit 
prime. Or alternatively, the 1st and 2nd prime generation units 
may be formed by individual prime generating apparatuses . 

[0341] The 1st prime generation unit generates a 128-bit prime from 

an 8 -bit prime in a manner similar to the conventional technique. 
The conventional technique is described in detail in Patent 
Reference 1 and Non-Patent Referenced. 

An example of the structure of the 2nd prime generation unit 
is illustrated in FIG. 38. The following description is given, 
assuming that the 2nd prime generation unit is a single prime 
generating apparatus 2100. When the prime vx ql" , the prime's bit 
size "lenql" (here, 128 bits), -the issue identifier information 
*IDI"/ and the bit size "lenlDI" are given, the prime generating 
apparatus 2100 outputs a prime *N" of (4xlenql) bits. Note that 
the prime generating apparatus 2100 generates the prime *N" 
without using the 1st and 2nd verification values of the first 
embodiment . 

[0342] The prime generating apparatus 2100, as shown in FIG. 38, 

comprises : an accepting unit 2101 ; an accepted information storage unit 



2102; a prime seed generation unit 2103; a random number generation 
unit 2104; a prime candidate generation unit 2105; a 1st primality 
testing unit 2106; and a 2nd primality testing unit 2107. 

The prime generating apparatus 2100 is, specifically speaking, 
5 a computer system composed of a microprocessor, ROM, RAM, a hard drive 

unit, a display unit, a keyboard, a mouse, and the like. A computer 
program is stored in the RAM or the hard drive unit. The microprocessor 
operates according to the computer program, and thereby the key issue 
audit server 2100 achieves the function. 
10 [0343] <Accepted Information Storage Unit 2102> 

The accepted information storage unit 2102 has an area to 
store the prime *ql", the bit size *lenql" of the prime *ql" , 
the issue identifier information *IDI" , and the bit size "lenlDI" 
of the issue identifier information, all of which are given at 
15 the generation of the prime "N" . 

<Accepting Unit 2101> 

The accepting unit 2101 accepts the prime "ql", the bit size 
xx lenql (e.g. 128 bits)" of the prime "ql", the issue identifier 
information "IDI" , and the bit size "lenlDi" of VV IDI" from outside 
20 (e.g. the 1st prime generation unit shown above) , and writes the 

accepted prime xx ql", bit size u lenql (e.g. 128 bits)", issue 
identifier information "IDI", and bit size *lenIDI" of VV IDI" to 
the accepted information storage unit 2102. 
[0344] The accepting unit 2101 outputs the accepted, individual 

2 5 information . to the prime seed generation unit 2103: 

<Prime Seed Generation Unit 210 3 > 

The prime seed generation unit 2103 performs the same 
operation as one performed by the prime generation unit 116 of 
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the first embodiment when the control information is vv Information 
B" , and therefore, the description is omitted. Here, assume that 
a 256-bit prime vx q2" is generated from a 128-bit prime XN ql" . 
[0345] The prime seed generation unit 2103 outputs the generated 

5 prime xv q2" to the prime candidate generation unit 2105. 

<Random Number Generation Unit 2104> 

Receiving a 1st generation direction from the prime 
candidate generation unit 2105, the random number generation unit 
2104 reads the bit size "lenql" of the prime *ql" and the bit 
10 sizes vv lenIDI" of the issue identifier information "IDI" from 

the accepted information storage unit 2102. 
[0346] The random number generation unit 2104 generates a random 

number XV R1" of (2xlenql-lenIDI-l) bits, using the read bit size 
rN lenql" and xx lenIDI". Here, the first bit of the random number 
15 *R1" is 1. 

The random number generation unit 2104 outputs the generated 
random number XX R1" to the prime candidate generation unit 2105. 

In addition, accepting a 2nd generation direction indicating 
the regeneration of a random number from either one of the 1st 
20 and 2nd primality testing units 2106 and 2107, the random number 

generation unit 2104 reads each bit size, and then performs the 
above operation. 
[0347] <Prime Candidate Generation Unit 210 5> 

The prime candidate generation unit 2105 has a generated 
25 information storage area for storing a generated number. 

Receiving the prime NN q2" from the prime seed generation unit 
2103, the prime candidate generation unit 2105 outputs the 1st 
generation direction to the random number generation unit 2104 . 
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[0348] Receiving the random number U R1" from the random number 

generation unit 2104, the prime candidate generation unit 2105 
reads the issue identifier information U IDI" stored in the 
accepted information storage unit 2102. 

The prime candidate generation unit 2105 generates a number 
VX R = IDIXRl" and a number U N = 2xRxq2+l" , using the prime *q2" 
received from the prime seed generation unit 2103, the issue 
identifier information XV IDI" read from the accepted information 
storage unit 2102, and the random number XN R1" received from the 
random number generation unit 2104. 

[0349] The prime candidate generation unit 2105 reads the bit size 

"lenql" of the prime >v ql" from the accepted information storage 
unit 2102, and judges whether the bit size of the generated number 
"N" is Mxlenql" . 

When determining that it is Mxlenql" , the prime candidate 
generation unit 2105 outputs the generated number "N" to the 1st 
primality testing unit 2106, and stores the generated number XX R" 
in the generated information storage area. 

[0350] When determining that it is not Mxlenql", the prime 

candidate generation unit 2105 multiplies the random number "Rl" 
received from the random number generation unit 2104 by 2, and 
makes the result *R1" with which the prime candidate generation 
unit 2105 conducts the above operation once again to generate 
the numbers "R" and XN N" . 

The prime candidate generation unit 2105 repeats the above 
operation until the bit size of the number VV N" becomes Mxlenql" . 

[0351] <lst Primality Testing Unit 2106> 

The 1st primality testing unit 2106 performs the same 
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operation as one performed by the 1st primality testing unit 14 3 
shown in the first embodiment, and therefore the description is 
left out here. 

<2nd primality testing unit 2107> 

The 2nd primality testing unit 2107 performs the same 
operation as one performed by the 2nd primality testing unit 144 
shown in the first embodiment, and therefore the description is 
left out here. 

[0352] Note that the 2nd primality testing unit 2107 outputs the 

generated number *N" as a prime VX N" when determining that the 
generated number *N" is a prime. 

<Operation of Prime Generating Apparatus 2100> 
The operation of the prime generating apparatus 2100 is 
described next. 

(Prime Generation Process) 

Here is described the operation of the prime generation 
process conducted in the prime generating apparatus 2100, using 
a flow diagram illustrated in FIG. 39. 

0353] The prime generating apparatus 2100 accepts, in the 

accepting unit 2101, the prime xv ql", the bit size "lenql" of the 
prime *ql" , the issue identifier information "IDI", and the bit 
size "lenlDI" of the issue identifier information, and writes 
the accepted individual information to the accepted information 
storage unit 2102 (Step S2000). 

The prime generating apparatus 2100 generates, in the prime 
seed generation unit 2103, a prime >v q2" using the individual 
information accepted in Step S2000 (Step S2005). 

0354] The prime generating apparatus 2100 generates, in the random 



number generation unit 2104, a random number "Rl" of 
(2xlenql-lenIDI-l) bits using the bit sizes "lenql" and "lenlDI" 
accepted in Step S2000 (Step S2010) . Here, the first bit of the 
random number "Rl" is 1. 

The prime generating apparatus 2100 generates the numbers 
"R" and "N" by performing, in the prime candidate generation unit 
2105, the prime candidate generation process, using the issue 
identifier information "IDI" accepted in Step S2000, the prime 
"q2" generated in Step S2005, and the random number "Rl" generated 
in Step S2010 (Step S2015) . The prime generating apparatus 2100 
judges, in the 1st primality testing unit 2106, whether the 
above-mentioned equation (Eq. 1) is true by using the number "N" 
generated in Step S2015 (Step S2020). 

[0355] When determining that the equation (Eq. 1) is true ("YES" 

in Step S2020), the prime generating apparatus 2100 judges, in 
the 2nd primality testing unit 2107, whether the above-mentioned 
equation (Eq. 2) is true by using the numbers "R" and "N" generated 
in Step S2015 (Step S2025) . 

When determining that the equation (Eq. 2) is true ( "YES" 
in Step S2025), the prime generating apparatus 2100 outputs the 
number "N" as a prime "N" , and terminates the process (Step S2030) . 

[0356] When determining that the equation (Eq. 1) is not true ("NO" 

in Step S2020) and that the equation (Eq. 2) is also not true 
("NO" in Step S2025) , the prime generating apparatus 2100 returns 
to Step S2010, and performs the process once again. 
(Prime Candidate Generation Process) 

Here is described the prime candidate generation process 
conducted in Step S2015 of the prime generation process, using 
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a flow diagram illustrated in FIG. 40. 
[0357] The prime candidate generation unit 2105 generates the 

number XX R", using the issue identifier inf ormation NX IDI" accepted 
in Step S2000 of the prime generation process and the random number 
5 *R1" generated in Step S2010 (Step S2050) . Here, the number "R" 

is found by *R = IDIXRl" . 

The prime candidate generation unit 2105 generates the number 
VV N", using the prime "q2" generated in Step S2005 of the prime 
generation process and the number *R" generated in Step S2050 

10 (Step S2055) . Here, the number *N" is found by = 2xRxq2+l" . 

[0358] The prime candidate generation unit 2105 judges whether the 

bit size of the generated number "N" is "4xlenql" (Step S2060) . 
... .. . . : „ When determining that it is Mxlenql" pYES" in Step S2060) , 

the process is finished. When determining that it is not 

15 xv 4xlenql" ( M NO" in Step S2060), the prime candidate generation 

unit 2105 multiplies the random number VX R1" generated in Step 
S2010 of the prime generation process by 2, and makes the result 
*R1", and the process returns to Step S2050 (Step S2065) . 
[0359] (Additional Particulars) 

20 The bit size of the prime which is the generated private 

key is here 512 bits, however, the present invention is not limited 
to this. It may be 1024 bits, or 2048 bits. In addition, the 
prime generated in the above 1st prime generation unit is also 
not confined to 128 bits. 

25 (5) The above-mentioned prime seed generation unit 2103 may 

be formed as a single prime generating apparatus. The following 
describes the prime generating apparatus 2200 in such a case. 
When the prime M q" , the bit size *lenq" of the prime xx q" (here, 
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128 bits'', the issue identifier information M IDI", and the bit 
size n lenIDI" of VX IDI" are given, the prime generating apparatus 
2200 outputs the prime VX N" of (2xlenq) bits. 

0360] The prime generating apparatus 2200, as shown in FIG. 41, 

comprises: an accepting unit 2201; an accepted information 
storage unit 2202; a random number generation unit 2203; a prime 
candidate generation unit 2204 ; a 1st primality testing unit 2205 ; 
and a 2nd primality testing unit 2206. 

The prime generating apparatus 2200 is, specifically 
speaking, a computer system composed of a microprocessor, ROM, 
RAM, a hard drive unit, a display unit, a keyboard, a mouse, and 
the like. A computer program is stored in the RAM or the hard 
drive unit. The microprocessor operates according to the 
computer program, and thereby the key issue audit server 22.00 
achieves the function . 

0361] <Accepted Information Storage Unit 2202> 

The accepted information storage unit 2202 has an area to 
store the prime *q", the bit size "lenq" of the prime xx q" , the 
issue identifier information V IDI", and the bit size vv lenIDI" 
of the issue identifier information, all of which are given at 
the generation of the prime n N" . 
<Accepting Unit 2201> 

The accepting unit 2201 accepts the prime xv q", the bit size 
"lenq" of -the prime *q" , the issue identifier information "IDI", 
and the issue identifier information's bit size "lenlDI" from 
outside (e.g.. the 1st prime generation unit shown above), and 
writes the accepted prime vv q" , bit size vv lenq", issue identifier 
information NN IDI", and bit size "lenlDI" of *IDI" to the accepted 
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information storage unit 2202. 
[0362] The accepting unit 2201 outputs a start direction indicating to 

start the process to the prime candidate generation unit 2204. 
<Random Number Generation Unit 220 3> 

Receiving a 1st generation direction indicating to generate 
a random number from. the prime candidate generation unit 2204, 
the random number generation unit 2203 reads the bit size "lenq" 
of the prime xx q" and the bit size "lenlDI" of *IDI" from the 
accepted information storage 2202 . 
[0363] The random number generation unit 2203 generates a random 

number W R1'' of ( lenq-lenIDI-1) bits, using the read bit sizes 
"lenq" and "lenlDI" . Here, the first bit of the random number 
*R1" is 1 . The method for generating a random number is described 
in detail in Non-Patent Reference 2. 

The random number generation unit 2203 outputs the generated 
random number *R1" to the prime candidate generation unit 2204. 

In addition, accepting a 2nd generation direction indicating 
to regenerate a random number from either one of the 1st and 2nd 
primality testing units 2205 and 2206, the random number 
generation unit 2203 reads each bit size, and then performs the 
above operation . 
[0364] <Prime Candidate Generation Unit 2204> 

The prime candidate generation unit 2204 has a function 
storage area to store in advance a function *f", which is an 
injection, and a generated information storage area to store a 
number generated by using the function "f". 

Receiving a start direction from the accepting unit 2201, 
the prime candidate generation unit 2204 outputs the 1st 
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generation direction to the random number generation unit 2203. 
[0365] Receiving the random number "Rl" from the random number 

generation unit 2203, the prime candidate generation unit 2204 
reads the prime vv q" and the issue identifier information VV IDI" 
5 stored in the accepted information storage unit 2202. 

The prime candidate generation unit 2204 generates a number 
VX R = f(IDI| |R1)" and a number XN N = 2xRXq+l" , using the function 
*f" stored in the function storage area, the read prime *q" and 
issue identifier information *IDI", and the random number *R1" 
10 received from the random number generation unit 2203. 

[0366] The prime candidate generation unit 2204 judges whether the 

bit size of the generated number XV N" is xx 2xlenq". 

When determining , that it is "2xlenq", the prime candidate 
generation unit 2204 outputs the generated number *N" to the 1st 
15 primality testing unit 2205, and stores the generated number VV R" 

in the generated information storage area . 
[0367 ] When determining that it is not xx 2xlenq" , the prime candidate 

generation unit 2204 multiplies the random number W R1" received 
from the random number generation unit 2203 by 2, and makes the 
20 result VX R1" with which the prime candidate generation unit 2204 

conducts the above operation once again to generate the numbers 
XX R" and *N" satisfying the above equations. 

The prime candidate generation unit 2204 repeats the above 
operation until the bit size of the number XN N" becomes xx 2xlenq". 
25 [0368] <lst Primality Testing Unit 2205> 

The 1st primality testing unit 2205 performs the same 
operation as one performed by the 1st primality testing unit 143 
shown in the first embodiment, and therefore the description is 
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left out here. 

<2nd Primality Testing Unit 220 6> 

The 2nd primality testing unit 2206 performs the same 
operation as one performed by the 2nd primality testing unit 144 
5 shown in the first embodiment, and therefore the description is 

left out here. 

[0369] Note that the 2nd primality testing unit 2206 outputs the 

generated number NN N" as a prime XV N" when determining that the 
generated number VX N" is a prime. 
10 <Operation of Prime Generating Apparatus 2200> 

The operation of the prime generating apparatus 2200 is 
described next. 

(Prime Generation Process) 

The prime generation process conducted in the prime 
15 generating apparatus 2200 is described here, focusing only on 

modified points, with the use of the flow diagram illustrated 
in FIG. 39. 

[0370] The prime generating apparatus 2200 accepts, in Step S2000, 

the prime -q" , the bit size xx lenq" of the prime *q" , the issue 

20 identifier information VX IDI", and the bit size "lenlDI" of the 

issue identifier information according to user's operation, and 
writes the accepted individual information to the accepted 
information storage unit 2202. 

After executing Step S2000 which is modified as above, the 

25 prime generating apparatus 2200 omits Step S2005, and executes 

Step S2010 modified as follows. The prime generating apparatus 
2200 executes Step S2010 which is modified to generate the random 
number XV R1" of (lenq-lenIDI-1) bits. 
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[0371] Since the following operational flow is the same as FIG. 

39, the description is left out. 

(Prime Candidate Generation Process) 

The prime candidate generation process is described here, 
focusing only on modified points, with the use of the flow diagram 
illustrated in FIG. 40. 

First, Step S2050 is modified so as to generate a number 
M R = f (IDI| |R1)" . 

[0372] Next, Step S2055 is modified so as to generate a number *N 

= 2xRXq+l" . 

Since the following operational flow is the same as FIG. 

40, the description is left out. 

(6) The prime generation unit 116C of Modified Example 3 
of the prime generation may be composed of : a 1st prime generation 
unit that generates a 256 -bit prime from an 8 -bit prime stored 
in advance; and a 2nd prime generation unit that generates a 
512 -bit prime from a 256 -bit prime. Additionally, the 1st and 
2nd prime generation units may be individual prime generating 
apparatuses. 

[0373] The 1st prime generation unit generates a 256 -bit prime from an 

8 -bit prime in a method similar to the conventional technique. 

An example of the structure of the 2nd prime generation unit 
is illustrated in FIG. 42. The following description is given, 
assuming that the 2nd prime generation unit is a single prime 
generating apparatus 2300. When the prime xx q" , the prime's bit 
size *lenq" (here, 128 bits), the issue identifier information 
VN IDI", and the bit size xv lenIDI" are given, the prime generating 
apparatus 2300 outputs a prime "N" of (2xlenq) bits. Note that 
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the prime generating apparatus 2300 generates the prime XV N" 
without using the 1st and 2nd verification values of the first 
embodiment . 

[0374] The prime generating apparatus 2300, as shown in FIG. 42, 

5 comprises : an accepting unit 2301 ; an accepted information storage unit 

2302; an identifier prime generation unit 2303; a randan number 
generation unit 2304; a prime candidate generation unit 2305; a 1st 
primality testing unit 2306; and a 2nd primality testing unit 2307. 
The prime generating apparatus 2300 is, specifically speaking, 
10 a computer system composed of a microprocessor, ROM, RAM, a hard drive 

unit, a display unit, a keyboard, a mouse, and the like. A computer 
program is stored in the RAM or the hard drive unit . The microprocessor 
operates according to the computer program, and thereby the key issue 
audit server 2300 achieves the function. 
15 [0375] <Accepted Information Storage Unit 2302> 

The accepted information storage unit 2302 has an area to 
store the prime xx q", the bit size xx lenq" of the prime vv q" , the 
issue identifier information XV IDI" , and the bit size ^lenlDI" 
of the issue identifier information, all of which are given at 
20 the generation of the prime XV N" . 

<Accepting Unit 2301> 

The accepting unit 2301 accepts the prime xx q", the bit size 
yx lenq" of the prime AV q" , the issue identifier infprmation M IDI", 
and the bit size xv lenIDI" of *IDI" from outside (e.g. the 1st 
25 prime generation unit), and writes, the accepted prime xv q", bit- > 

size vv lenq", issue identifier information XX IDI", and bit size 
vv lenIDI" of the issue identifier information to the accepted 
information storage unit 2302. 
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[0376] The accepting unit 2301 outputs a start direction indicating 

to start the process to the identifier prime generation unit 2303 . 
<Identifier Prime Generation Unit 2303> 

The identifier prime generation unit 2303 stores in advance 
5 a prime vx qg" and the bit size NV lenqg" of the prime. 

[0377] The identifier prime generation unit 2303 stores in advance 

an injection function vv f" and a prime generation function *gp" 
for generating a unique prime from the issue identifier 
information XV IDI" and the prime vv qg". 
10 Receiving the start direction from the accepting unit 2301, 

the identifier prime generation unit 2303 reads the issue 
identifier information XX IDI" from the accepted information 
storage unit 2302. 

The identifier prime generation unit 2303 generates a prime 
15 "pIDI = gp(IDI, qg)" from the prime "qg" and the prime generation 

function "gp" stored in advance as well as the read issue 
identifier information "IDI". The method for generating the 
prime vv pIDI" is the same as shown in Modified Example 3 of the 
prime generation, and therefore the description is left out. 
20 [037 8] The identifier prime generation unit 2303 outputs the 

generated prime "pIDI" to the prime candidate generation unit 
2305. 

<Random Number Generation Unit 2304> 

Receiving a 1st generation direction from the prime 
25 candidate generation unit 2305 , the random number generation unit 

2304 reads the bit size "lenq" of the prime vx q" from the accepted 
information storage unit 2302 and the bit size "lenqg" of the 
prime NN qg" from the identifier prime generation unit 2303. 
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[0379] The random number generation unit 2304 generates a random 

number "R" of ( lenq- 2xlenqg-l) bits, using the read bit sizes 
"lenq" and "lenqg" . Here, the first bit of the random number "R" 
is 1. 

The random number generation unit 2304 outputs the generated 
random number "R" to the prime candidate generation unit 2305. 

In addition, accepting a 2nd generation direction indicating 
regeneration of a random number from either one of the 1st and 
2nd primality testing units 2306 and 2307, the random number 
generation unit 2304 reads each bit size, and then performs the 
above operation. 
[0380] <Prime Candidate Generation Unit 2305> 

Receiving the prime "pIDI" from the identification prime 
generation unit- 2303, the prime candidate generation unit 2305 
outputs the 1st generation direction to the random number 
generation unit 2304. 

Receiving the random number "R" from the random number 
generation unit 2304, the prime candidate generation unit 2305 
reads the prime *q" stored in the accepted information storage 
unit 2302. 

[0381] The prime candidate generation unit 2305 generates *N = 

2XRxqxpIDI+l" , using the prime vx pIDI" received from the 
identifier prime generation unit 2303, the prime "q" read from 
the accepted information storage unit 2302 , and the random number 
"R" received from the random number generation unit 2304. 

The prime candidate generation unit 2305 reads the bit size 
"lenq" of the prime >x q" from the accepted information storage 
unit 2302, and judges whether the bit size of the generated number 
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*N" is "2xlenq". 

[0382] When determining that it is "2xlenq" , the prime candidate 

generation unit 2305 outputs the generated number "N" to the 1st 
primality testing unit 2306, and temporarily stores the random 
number VX R" . 

When determining that it is not u 2xlenq" , the prime candidate 
generation unit 2305 multiplies the random number n R" received 
from the random number generation unit 2304 by 2, and makes the 
result "R", with which the prime candidate generation unit 2305 
conducts the above operation once again to generate the number 
W N" . 

[0383] The prime candidate generation unit 2305 repeats the above 

operation until the bit size of the number VX N" becomes yx 2xlenq" . 
<lst Primality Testing Unit 2306> 

The 1st primality testing unit 2306 performs the same 
operation as one performed by the 1st primality testing unit 143 
shown in the first embodiment, and therefore the description is 
left out here. 
[0384] <2nd Primality Testing Unit 2307> 

The 2nd primality testing unit 2307 performs the same 
operation as one performed by the 2nd primality testing unit 144 
shown in the first embodiment, and therefore the description is 
left out here. 

Note that the 2nd primality testing unit 2307 outputs the 
generated number X >N" as a prime *N" when determining that the 
generated number VV N" is a prime. 
[0385] <Operation of Prime Generating Apparatus 2300> 

The operation of the prime generating apparatus 2300 is 

150 



described next. 

(Prime Generation Process) 

Here is described the prime generation process conducted 
in the prime generating apparatus 2300, using the flow diagram 
illustrated in FIG. 39. 

[0386] The prime generating apparatus 2300 accepts, in Step S2000, 

the prime xx q", the bit size xv lenq" of the prime xx q" , the issue 
identifier information XX IDI", and the bit size xx lenIDI" of the 
issue identifier information according to user's operation, and 
writes the accepted individual information to the accepted 
information storage unit 2302 . 

The prime generating apparatus 2300 executes Step S2005 
which is modified to generate the prime xx pIDI" . 

[0387] The prime generating apparatus 2300 executes Step S2010 

which is modified to generate a random number XX R" of 
(lenq-2xlenqg-l) bits. 

Since the following operational flow is the same as FIG. 

39, the description is left out. 

(Prime Candidate Generation Process) 

The prime candidate generation process is described here, 
focusing only on modified points, with the use of the flow diagram 
illustrated in FIG. 40. 
[0388] First, Step S2050 is omitted. 

Next, Step S2055 is modified so as to generate a number XX N 
= 2xRxqXpIDI+l" . 

Since the following operational flow is the same as FIG. 

40, the description is left out. 



<Additional Particulars> 

The bit size of the prime which is the generated private 
key is here 512 bits, however, the present invention is not limited 
to this. It may be 1024 bits, or 2048 bits. In addition, the 
prime generated in the above 1st prime generation unit is also 
not confined to 256 bits. 
[0389] (7) The prime generation unit 116 of the first embodiment 

may be composed of : a 1st prime generation unit for generating 
a 256 -bit prime from an 8-bit prime stored in advance; and a 2nd 
prime generation unit for generating a 512 -bit prime from a 
256-bit prime. Or alternatively, the 1st and 2nd prime 
generation units may be individual prime generating apparatuses . 

The 1st prime generation unit generates' a 128 -bit prime from 
an 8 -bit prime in a manner similar to the conventional technique, 
and generates a 256 -bit prime from a 128 -bit prime by employing 
the above-mentioned prime generating apparatus 2200. 
[0390] An example of the structure of the 2nd prime generation unit 

is illustrated in FIG. 43. The following description is given, 
assuming that the 2nd prime generation unit is a single prime 
generating apparatus 2400 . When the prime *q" , the bit size 
vv lenq" (here, 256 bits) of the prime, the issue identifier 
information M IDI", and the bit size "lenlDI" are given, the prime 
generating apparatus 2400 outputs a prime *N" of (2xlenq) bits. 
Note that the prime generating apparatus 24 00 generates the prime 
XN N" without using the 1st and 2nd verification values of the first 
embodiment. 

[03 91] The prime generating apparatus 2400, as shown in FIG. 43, 

comprises: an accepting unit 2401; an accepted information 



.. storage unit 2402; a random number generation unit 2403; a prime 
candidate generation unit 2405; a 1st primality testing unit 2405; 
and a 2nd primality testing unit 2106. 

The prime generating apparatus 2400 is, specifically 
speaking, a computer system composed of a microprocessor, ROM, 
RAM, a hard drive unit, a display unit, a keyboard, a mouse, and 
the like. A computer program is stored in the RAM or the hard 
drive unit. The microprocessor operates according to the 
computer program, and thereby the key issue audit server 2400 
achieves the function. 
[0392] <Accepted Information Storage Unit 240 2> 

The. accepted information storage unit 2402 has an area to 
store the prime *q" , the bit size "lenq" of the prime xx q", the 
issue identifier information VV IDI", and the bit size "lenlDI" 
of the issue identifier information, all of which are given at 
the generation of the prime "N" . 

<Accepting Unit 2401> 

The accepting unit 2401 accepts the prime *q", the bit size 
^lenq" of the prime x 'q" , the issue identifier information *IDI", 
and the bit size "lenlDI" of "IDI" from outside (e.g. the 1st 
prime generation unit shown above) , and writes the accepted prime 
Nv q" , bit size vv lenq" , issue identifier information VX IDI", and 
bit size *lenIDI" to the accepted information storage unit 2402. 
[0393] The accepting unit 2401 outputs a start direction indicating to 

start the process to the prime candidate generation unit 2404. 

<Random Number Generation Unit 2403> 

Receiving a 1st generation direction indicating generation 
of a random number from the prime candidate generation unit 2404, 



the random number generation unit 2403 reads the bit size NV lenq" 
of the prime xv q" and the bit size "lenlDI" of the issue identifier 
information "IDI" from the accepted information storage unit 
2402. 

[0394] The random number generation unit 2403 generates a random 

number *R1" of ( lenq-lenIDI-1) bits, using the read bit size 
"lenq" and "lenlDI". Here, the first bit of the random number 
*R1" is 1. 

The random number generation unit 2403 outputs the generated 
random number VX R1" to the prime candidate generation unit 2404. 

In addition, accepting a 2nd generation direction indicating 
regeneration of a random number from either one of the 1st and 
2nd primality testing units 2405 and 2406, the random number 
generation unit 2403 reads each bit size, and then performs the 
above operation. 
[0395] <Prime Candidate Generation Unit 2404> 

The prime candidate generation unit 2404 has a generated 
information storage area to store a generated number. 

Receiving a start direction from the accepting unit 2401, 
the prime candidate generation unit 2404 outputs the 1st 
generation direction to the random number generation unit 2403. 
[0396] Receiving the random number >N R1" from the random number 

generation unit 2403, the prime candidate generation unit 2404 
reads the prime "q" and the issue identifier information "IDI" 
stored in the accepted information storage unit 2402. 

The prime candidate generation unit 2404 generates a number 
*R = IDIXR1" and a number VX N = 2xRxq+l", using the read prime xx q" 
and issue identifier information XX IDI" as well as the random 



number XX R1" received from the random number generation unit 2403 . 

[0397] The prime candidate generation unit 2404 judges whether the 

bit size of the generated number XX N" is xx 2xlenq". 

When determining that it is xx 2xlenq", the prime candidate 
generation unit 2404 outputs the generated number XX N" to the 1st 
primality testing unit 2405, and stores the generated number XX R" 
in the generated information storage area . 

[0398] When determining that it is not xx 2xlenq" , the prime candidate 

generation unit 2404 multiplies the random number XX R1" received 
from the random number generation unit 2403 by 2, and makes the 
result XX R1", with which the prime candidate generation unit 2404 
conducts the above operation once again to generate the numbers 
XX R" and XX N" 

The prime candidate generation unit 2404 repeats the above 
operation until the bit size of the number XX N" becomes xx 2xlenq". 
[0399] <lst Primality Testing Unit 2405> 

The 1st primality testing unit 2405 performs the same 
operation as one performed by the 1st primality testing unit 143 
shown in the first embodiment, and therefore the description is 
left out here. 

<2nd Primality Testing Unit 2406> 

The 2nd primality testing unit 2406 performs the same 
operation as one performed by the 2nd primality testing unit 144 
shown in the first embodiment, and therefore the description is 
left out here. 

[0400] Note that the 2nd primality testing unit 2406 outputs the 

generated number XX N" as a prime XX N" when determining that the 
generated number XX N" is a prime. 
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<Operation of Prime Generating Apparatus 24 00> 
The operation of the prime generating apparatus 2400 is 
described next. 

(Prime Generation Process) 

The prime generation process conducted in the prime 
generating apparatus 2400 is described here, focusing only on 
modified points, with the use of the flow diagram illustrated 
in FIG . 39. 

[0401] The prime generating apparatus 2400 accepts, in Step S2000, 

the prime xv q" , the bit size XN lenq" of the prime XN q", the issue 
identifier information W IDI" , and the bit size NX lenIDI" of the 
issue identifier information, and writes the accepted individual 
information to the accepted information storage unit 2402. 

After executing Step S2000, which is modified as above, the 
prime generating apparatus 2400 omits Step S2005, and executes 
Step S2010 modified as follows. The prime generating apparatus 
2400 executes Step S2010 that is modified to generate a random 
number *R1" of (lenq-lenIDI-1) bits. 

0402] Since the following operational flow is the same- as FIG. 39, 

the description is left out. 

(Prime Candidate Generation Process) 

The prime candidate generation process is described here, 
focusing only on modified points , with the use of the flow diagram 
illustrated in FIG. 40. 

First, Step S2050 is modified so as to generate a number VX R 
- IDIXRl" . 

0403] Next, Step S2055 is modified so as to generate a number = 
2xRxq+l". 



^Since the following operational flow is the same as FIG. 40, 
the description is left out. 

(8) The prime generation unit 116 of the first embodiment 
of the prime generation may be composed of : a 1st prime generation 
unit that generates a 256 -bit prime from an 8-bit prime stored 
in advance; and a 2nd prime generation unit that generates a 
512-bit prime from a 256-bit prime. Additionally, the 1st and 
2nd prime generation units may be individual prime- generating 
apparatuses . 

[0404] The 1st prime generation unit generates a 128 -bit prime from 

an 8 -bit prime in a manner similar to the conventional technique, 
and generates a 256 -bit prime from a 128 -bit prime by employing 
the above-mentioned prime generating apparatus 2200. 

An example of the structure of the 2nd prime generation unit 
is illustrated in FIG. 44. The following description is given, 
assuming that the 2nd prime generation unit is a single prime 
generating apparatus 2500. When the prime vx q", the bit size 
xx lenq" (here, 256 bits) of the prime, the issue identifier 
information W IDI", the bit size xx lenIDI", and the verification 
value n c" are given, the prime generating apparatus 2500 outputs 
a prime "N" of (2xlenq) bits. 

[0405] The prime generating apparatus 2500, as shown in FIG. 44, 

comprises : an accepting unit 2501 ; an accepted information storage unit 
2502 ; a random number generation unit 2503 ; a prime candidate generation 
unit 2504 ; a 1st primality testing unit 2505 ; and a 2nd primality testing 
unit 2506. 

The prime generating apparatus 2500 is, specifically 
speaking, a computer system composed of a microprocessor, ROM, 



RAM, a hard drive unit, a display unit, a keyboard, a mouse, and 
the like. A computer program is stored in the RAM or the hard 
drive unit. The microprocessor operates according to the 
computer program, and thereby the key issue audit server 2500 
achieves the function. 
[0406] <Accepted Information Storage Unit 2502> 

The accepted information storage unit 2502 has an area to 
store the prime xx q" given at the generation of the prime XX N", 
the bit size xx lenq" of the prime xx q" , the issue identifier 
information XX IDI", the bit size xx lenIDI" of the issue identifier 
information, and the verification value xx c". 

<Accepting Unit 2501> 

The accepting unit 2501 accepts the prime xx q", the bit size 
xv lenq" of the prime xv q" , the issue identifier information VX IDI", 
the bit size xx lenIDI" of the issue identifier information, and 
the verification value xx c" from outside (e.g. the 1st prime 
generation unit shown above) , and writes the accepted prime xx q" , 
bit size xx lenq", issue identifier information XX IDI", bit size 
xv lenIDI" and verification value xx c" to the accepted information 
storage unit 2502. 
0407] The accepting unit 2501 outputs a start direction indicating 

to start the process to the prime candidate generation unit 2504 . 
<Random Number Generation Unit 2503> 

Receiving a 1st generation direction indicating generation 
of a random number from the prime candidate generation unit 2504, 
the random number generation unit 2503 reads the bit size xx lenq" 
of the prime xv q" and the bit size xv lenIDI" of the issue identifier 
information from the accepted information storage unit 2502. 
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[0408] The random number generation unit 2503 generates a random 

number VX R1" of ( lenq-lenIDI-1) bits, using the read bit size 
>x lenq" and "lenlDI". Here, the first bit of the random number 
XV R1" is 1. 

The random number generation unit 2503 outputs the generated 
random number VN R1" to the prime candidate generation unit 2504. 

In addition, accepting a 2nd generation direction indicating 
regeneration of a random number from either one of the 1st and 
2nd primality testing units 2505 and 2506, the random number 
generation unit 2503 reads each bit size, and- then performs the - 
above operation. 
[0409] <Prime Candidate Generation Unit 2504> 

The prime candidate generation unit 2504 has a generated 
information storage area to store a generated number. 

Receiving a start direction from the accepting unit 2501, 
the prime candidate generation unit 2504 outputs the 1st 
generation direction to the random number generation unit 2503. 
[0410] Receiving the random number "Rl" from the random number 

generation unit 2503, the prime candidate generation unit 2504 
reads the prime *q" , the issue identifier information ^IDI", and 
the verification value xx c" stored in the accepted information 
storage unit 2502. 

The prime candidate generation unit 2504 generates a number 
XX R = IDIXR1" and a number VV N = 2x(R+w)xq+l" , using the read. prime 
xx q", issue identifier information "IDI", and verification value 
"c" as well as the random number XV R1" received from the random 
number generation unit 2503. 
[0411] Here, *w" is a number satisfying AV 2xwxq+l = c mod IDI, 
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0<w<IDI" . xx w" is found by calculating vv w - (c-l)xm mod IDI" . *m" 
is a number satisfying vv (2xq)Xm = 1 mod IDI". 

The prime candidate generation unit 2504 judges whether the 
bit size of the generated number *N fl is "2xlenq" . 
[0412] When determining that it is ^2xlenq", the prime candidate 

generation unit 2504 outputs the generated number *N" to the 1st 
primality testing unit 2505, and stores the generated number XN R" 
in the generated information storage area. 

When determining that it is not xx 2xlenq" , the prime candidate 
generation unit 2504 multiplies the random number "Rl" received 
from the random number generation unit 2503 by 2, and makes the 
result *R1", with which the prime candidate generation unit 2504 
conducts the above operation once again to generate the numbers 
*R" and XV N" . 

[0413] The prime candidate generation unit 2504 repeats the above 

operation until the bit size of the number "N" becomes xv 2xlenq" . 
<lst Primality Testing Unit 2505> 

The 1st primality testing unit 2505 performs the same 
operation as one performed by the 1st primality testing unit 143 
shown in the first embodiment, and therefore the description is 
left out here. 
[0414] <2nd Primality Testing Unit 2506> 

The 2nd primality testing unit 2506 performs the same 
operation as one performed by the 2nd primality testing unit 144 
shown in the first embodiment, and therefore the description is 
left out here. 

Note that the 2nd primality testing unit 2506 outputs the 
generated number XX N" as a prime VV N" when determining that the 



generated number M N" is a prime. 
[0415] <Operation of Prime Generating Apparatus 2500> 

The operation of the prime generating apparatus 2500 is 
described next. 

(Prime Generation Process) 

The operation of the prime generation process conducted in 
the prime generating apparatus 2500 is described here, focusing 
only on modified points, with the use of the flow diagram 
illustrated in FIG. 39. 
[0416] The prime generating apparatus 2500 accepts, in Step S2000, 

the prime xv q" , the bit size XN lenq" of the prime xx q" , the issue 
identifier information XX ID1" , the bit size xx lenIDI" of the issue 
identifier information, and the verification value xx c" , and 
writes the accepted individual information to the accepted 
information storage unit 2502 . 

After executing Step S2000 which is modified as above, the 
prime generating apparatus 2500 omits Step S2005, and executes 
Step S2010 modified as follows. The prime generating apparatus 
2500 executes Step S2010 which is modified to generate a random 
number XX R1" of ( lenq-lenIDI-1) bits. 
[0417] Since the following operational flow is the same as FIG. 

39, the description is left out. 

(Prime Candidate Generation Process) 

The prime candidate generation process is described here, 
focusing only on modified points , with the use of the flow diagram 
illustrated in FIG. 40. 

First, Step S2050 is modified so as to generate a number 
XX R = IDIXR1" . 



[0418] Next, Step S2055 is modified so as to generate a number VX N 

= 2x(R+w)xq+l" . 

Since the following operational flow is the same as FIG. 
40, the description is left out. 
[0419] (9) In the above first embodiment, the prime generation unit 

116 applies the injection function *f " , and then, embeds the issue 
identifier information VV IDI". However, the prime generation 
unit 116 may only apply the injection function xv f", or may only 
perform embedding of the issue identifier information XX IDI". 

In the case where only the injection function is applied, 
the uniqueness of the generated prime is satisfied. Here, the 
injection function can be applied at any timing. 

In the case where only the embedding of the issue identifier 
information M IDI" is performed, the validity of the generated 
key can be examined using XX IDI" although the uniqueness of the 
generated prime is not satisfied. Note that, . in the case of 
performing only the embedding of the issue identifier information 
*IDI", the application of the injection function is conducted 
when a 512-bit prime is generated from a 256-biot prime. 
[0420] This is also the case with the second embodiment. 

(10) In the above first and second embodiments, when the 
control information is vv Information B" , the prime generation unit 
116 generates the number XX R - f (IDI | | Rl) " by applying an injection 
function. However, the present invention is not confined to 
this . 

For example, when the control information is XN Information 
B" , the prime generation unit 116 may generate a number XX R = 
f (Rl|| IDI)", a number XX R - f(IDI)||Rl", or a number "R = 



Rl | | f ( IDI ) " . 

[0421] Furthermore, without using the injection function, a number 

"R = (IDI | |R1)" or a number "R = Rl | |IDI" may be generated. 

Additionally, each bit composing the random number "Rl" is 
embedded in the bit string of the issue identifier information 
"IDI", and the number "R" can be generated by applying the 
injection function "f" to the embedded result (hereinafter, 
referred to as "IDIJR1"). 

[0422] One such example is shown in FIG. 45. The issue identifier 

information "IDI" is, specifically speaking, 64 bits, as 

mentioned above, and has a bit string of "S1S2S3S4...S62S63S64" - The 
random number "Rl" is, to be more specific 63 bits, and the bit 

string is "TiT2T3T4...T6iT 62 T63" - Here, "S n " and "T m " are either "0" 
or "1" . Note that "n" is a number no less than 1 and no more than 
64, while "m" is a number no less than 1 and no more than 63. 
Here, the bit string of "IDI_R1" becomes 

* S 1 TiS 2 T 2 S3T3S 4 T4 . . .T 61 S 6 2T62S63T 63 S64 " . 

[0423] Note that, in this example, individual bits of the random 

number "Rl" are embedded for each bit of the bit string of the 
issue identifier information "IDI"; however, the present 
invention is not limited to this. Instead, the number "IDI_R1" 
is generated by embedding individual bits of the random number 
"Rl" for every some bits of the bit string of the issue identifier 
information "IDI". Here, "IDI_R1" is generated by joining all 
the bits, which are not embedded within the bit string of "IDI", 
together to the last bit of this bit string. 

[0424] In addition, the number "IDIJR1" may be generated by 

embedding each bit of the issue identifier information "IDI" in 



the bit string of the random number VV R1" . For example, in the 
case of embedding individual bits with respect to each bit of 
the bit string of the random number *R1", the bit string of the 

number *IDI_R1" becomes xx TiSiT2S2T3S3T 4 S4...T 6 2S62T63S63S64" • 

The number VX R" is generated by, first, generating the number 

' V IDI_R1" from the issue identifier information U IDI" and the 
random number XX R1", and then applying the injection function *f " 
to the generated number XN IDI_R1"; however, the present invention 
is not limited to this. The number VV R" may be "R = IDI_R1" . 
[0425] (11) m the above first embodiment, when the control 

information * Information A" , the prime generation unit 116 
conducts the embedding of the issue identifier information AX IDI" ; 
however, the information to be embedded is not confined to *IDI" . 

For example, the information to be embedded may be a value 
using "g" that is a secret function known only by the key issuing 
server 100 and the certificate issuing server 200, and is a 
one-to-one function. Here, the value embedded instead of "IDI" 
is *g(IDI) " . 

[0426] This is also the case with the second embodiment. 

(12) In the above first embodiment, a safe communication 
pathway is established between the key issuing server 100 and 
the terminal 300, and then the private and public keys are 
transmitted from the key issuing server 100 to the terminal 300; 
however, the present invention is not limited to this. 

For example, the private and public keys may be transmitted 
from the key issuing server 100 to the terminal 300 via an 
input-output device at the manufacture of the terminal 300. 

[0427] This is also the case with the second embodiment. 



(13) In the above first and second embodiments, portable 
phones are used as a specific example of the terminals; however, 
the present invention is not limited to these. 

Any terminal can be used if it is capable of receiving 
encrypted data via a network and decrypting the encrypted data . 
0428] For example, personal computers and PDA (Personal Digital 

Assistants) are examples of such. 

(14) In the above first and second embodiments, the issue 
identifier information VN IDI" is an odd number; however, when a 
verification value is not used for the prime generation, the issue 
identifier information XV IDI" does not have to be an odd number. 
0429] Here, in the case where the prime is generated using the 

server identifier and an issue identifier XV PID" which is generated, 
by a counter, in the order starting from 1, the identifier 
generation unit 115 is capable of readily generating a different 
prime each time by increasing %V PID" by 1 every time when issuing 
(generating) a prime. 

(15) In the first and second embodiments, the bit size of 
the prime, which is a private key to be generated, does not have 
to be 512 bits, and could be 1024 bits or 2048 bits. Here, as 
to the bit size (here, "lenN") of the prime that is a private 
key, the prime generation unit 116 generates a prime of (lenN/4) 
bits using the conventional prime generation technique; then, 
generates a prime of (lenN/2) bits by applying the injection 
function vv f"; and finally, generates a prime *N" of xv lenN" bits, 
in which the issue identifier information M IDI" has been embedded. 
0430] Note that, when only embedding of the issue identifier 

information *IDI" is performed, the prime generation unit 



generates the prime of (lenN/2) bits by the conventional prime 
generation technique, and, at the end, generates the prime *N" 
of xv lenN" bits in which the issue identifier information *IDI" 
has been embedded. 

In addition, when only the generation of a unique prime by 
the application of the injection function vx f " is performed, the 
prime generation unit generates the prime of ( lenN/2 ) bits by 
the conventional prime generation technique, and then generates 
the prime of (lenN) bits by the application of the injection 
function xv f " . 

[0431] (16) The prime generation unit 116 of the first embodiment may 

be a single prime generating apparatus. Here, an integer number len 
and the issue identifier information IDI may be input to the prime 
generating apparatus may input, and the prime generating apparatus then 
outputs a prime of len bits. 

Additionally, as described above, the prime generation unit 
116 of the first embodiment may use, instead of the prime 
information generation unit 133, any one of the prime information 
generation units 133A, 133B, and 133C of Modified Examples 1, 
2 and 3 of the prime generation. 

[0432] In addition, when generating a 512-bit prime from an 8-bit 

prime, the prime generation unit 116 of the first embodiment may 
apply the injection function XN f " only once without embedding the 
issue identifier information VV IDI". Here, receiving the 
certificate issue request information and the public key, the 
certificate issuing server 200 issues the public key certificate 
vx Cert" without examining the validity. 

[0433] (17) The method for including the issue identifier information 



in a prime is not confined to the above embodiments. For example, a 
prime whose low-order lenlDI bits are IDI may be generated and issued. 

(18) The number of the key issuing server is not limited 
to three, although at least one key issuing server is required. 
Here, each key issuing server uses the same prime generation 
technique. 

(19) Conditional equation used by the 2nd primality testing 
unit 144 of the first embodiment for judging a prime is not limited 
to (Eq.2) shown above. 

[0434] Using a conditional equation "GCD( 2^ ( 2R) - 1 , N) = 1", the 

2nd primality testing unit 144 judges whether the number *N" 
received from the 1st primality testing unit 143 satisfies the 
conditional equation. When the 2nd primality testing unit 144 
determines that it satisfies the conditional equation/ the number 
XX N" is taken as a prime VX N" . 

(20) In the first embodiment, the key issuing server 100 
distributes the private key and public key certificate to the 
terminal 300; however, the present invention is not confined to 
this . The key issuing server 100 may distribute only the private 
key to the terminal 300. Here, the key issuing server 100 
publishes the public key certificate to third parties. 
Alternatively, the key issuing server 100 publishes the public 
key to third parties . 

[0435] (21) In the first embodiment, the prime generation unit 116 manages, 

at the output counter 136, the number of primes having been output to 
the key judgment unit 117 ; however, the present invention is not limited 
to this. 

The key judgment unit 117 may count the number of received 



primes . The following shows an example of such a case . 

Receiving an order to start prime generation from the 
identifier generation unit 115, the prime generation unit 116 
generates a prime vv pl" , and outputs the generated prime xx pl" to 
5 the key judgment unit 117 . Receiving a request for the next prime 

from the key judgment unit 117, the prime generation unit 116 
generates a prime xv p2" , and outputs the generated prime "p2" to 
the key judgment unit 117 . Note that the generation of the primes 
*pl" and XN p2" is the same as in the first embodiment, and therefore 

10 the description is left out here. 

[0436] Receiving a prime from the prime generation unit 116, the 

key judgment unit 117, using a counter (the initial value is *0") , 
increases the value of the counter by 1. Then, the key judgment 
unit 117 judges whether the result is 1. When determining that 

15 it is 1, the key judgment unit 117 requests the prime generation 

unit 116 for the next prime. When determining that it is not 1, 
the key judgment unit 117 judges whether the primes xv pl" and "p2" 
match each other. The following operation is the same as in the 
first embodiment, and therefore the description is left out here. 

20 [0437] (22) In the above first and second embodiments, the bit size 

of the issue identifier information *IDI" is 64 bits; however, 
the present invention is not limited to this. The issue 
identifier information can take any bit size as long as it is 
smaller than (lenq-1) . 

25 Additionally, in Modified Example 3 of the prime generation, 

the bit size of the prime vv qg" is 64 bits; however, the present 
invention is not confined to this. Any prime can be used as the 
prime vv qg" if the bit size *lenqg" satisfies * (2xlenqg)<( lenq-1 ) " . 
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Here, the bit size of the issue identifier information should 

be smaller than that of the prime xx qg" . 
[0438] (23) At the issue public key determination unit 214 of the 

certificate issuing server 200 , the judgment of whether the public 

key XX PK = (n, e)" has been generated using the issue identifier 

information XX IDI" is achieved by verifying whether xx n- (cllxcl2) " 

is divisible by XX IDI". Here is a specific example of the 

verification method. 

A specific operational flow of the verification method is 

described here, using a flow diagram shown in FIG. 46. 
[0439] The issue public key determination unit 214 makes the number 

n-(cllXcl2)" XX Q" (Step S2500). 

Next , the issue public key determination unit 214 calculates 

XX Q-IDI", and makes the calculated result XX Q" once again (Step 

S2505) . 

The issue public key determination unit 214 judges whether 
the number XX Q" is smaller than the issue identifier information 
XX IDI" (Step S2510) . 

[0440] When determining that it is smaller ( XV YES" in Step S2510), 

the issue public key determination unit 214 judges whether the 
number XX Q" is xx 0" (Step S2515) . 

When determining that it is xx 0" ( XX YES" in Step S2515), the 
issue public key determination unit 214 outputs the verification 
result xx 0" (Step S2520) . When determining that it is not xv 0" ( xx NO" 
in step S2515), the issue public key determination unit 214 
outputs the verification result xv l" (Step S2525) . 

[0441] When determining that the number VV Q" is no less than the 

issue identifier information XX IDI" ( xx NO" in Step S2510), the 
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process returns to Step S2505. 

According to the operation, it is capable of determining 
whether the public key XX PK = (n, e)" has been generated using 
the issue identifier information VV IDI". 
5 After the verification process described above is performed 

in Step S670 shown in FIG. 18, the issue public key determination 
unit 214 determines that the public key "PK" has been generated 
using the issue identifier information VV IDI" when the output 
verification result is *0". On the other hand, when the 

10 verification result is "1" , the issue public key determination 

unit 214 determines that the public key XV PK" has been generated 
without using the issue identifier information XV IDI". 
[044 2] (24) When the number "N" generated by the prime candidate 

generation unit 142 does not satisfy "lenN = 2xlenq" , it is said 

15 above that VX R1 =' 2XR1" . A specific example of the computation 

is shown next. 

When the generated number *N" does not satisfy "lenN = 
2xlenq" , the prime candidate generation unit 142 shifts the bit 
string of the number *R1" by one bit to the left. Here, the last 
20 bit is set to u 0". Herewith, *R1 = 2XR1" can be established. 

[0443] (25) In the first and second embodiments, the number AX N" 

is calculated as ' X N= 2x(R+w)xq+ 1" ; however, the present invention 
is not confined to this. > N N" may be calculated as XX N = 2XRXq+c" . 
This is because XX N = 2x(R+w)xq+l" can be modified as follows 
2 5 by using the above-mentioned conditional equations of vx w" and 

xv m" — "w = (c-l)xm mod IDI /r and vx (2xq)Xm = 1 mod IDI". 
[044 4] 2x(R+w)Xq+l = 2XRXq-f 2Xwxq+l 

= 2xRxq+2X(c-l)xmXq+l 
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= 2xRxq+2x(c-l)x(l/2q)Xq+l 
= 2XRXq+(c-l)+l 
= 2XRXq+c. 

Herewith, it can be seen that VV N - 2xRxq+c" can be used, 
instead of = 2x(R+w)xq+ 1" . 

[0445] Note that "c" is a verification value, and the verification 

value * v c" becomes xv cll" when the value of the output counter is 
xx l", and becomes XN cl2" when the value of the counter is "2" or 
more. For example, the certificate issuing server 200 of the 
first embodiment judges whether "N-cllxcl2" is divisible by n IDI", 
and thereby the validity of the generated public key is examined. 

[0446] (26) A "prime verification apparatus for verifying the validity 

of the prime generated by the key issuing server may be added to the 
key issuing system 1 of the first embodiment. 

The operations of the prime verification apparatus and the 
key issuing server 100. in this case is described next. 

The prime verification apparatus stores in advance a 
verification -value table, as in the case of the certificate 
issuing server. 

[0447] After generating the prime "pi" at the prime generation unit 

116, the key issuing server 100 outputs the generated prime xv pl" , 
the issue identifier information "IDI" t and the server identifier 
to the prime verification apparatus. 

Receiving the prime AN pi" , issue identif ier information *IDI" , 
and server identifier from the key issuing server 100, the prime 
verification apparatus reads a 1st verification value xv cll" 
corresponding to the received server identifier, calculates 
vv pl-cll" using the read 1st verification value *cll", and judges 
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whether the calculation result is divisible by ^IDI". When 
determining that it is divisible, the prime verification 
apparatus outputs information permitting the use of the prime 
vx pl" to the key issuing server 100. When determining that it is 
5 not divisible, the prime verification apparatus outputs 

information prohibiting the use of the prime xx pl" to the key 
issuing server 100. 
[044 8] Receiving information prohibiting the use of vv pl" from the 

prime verification apparatus, the prime generation unit 116 of 
10 . the key issuing server 100 generates the prime xv pl" once again, 

and repeats the above operation. 

Receiving information permitting the use of the prime *pl" 
from the prime verification apparatus, the prime generation unit 
116 of the key issuing server 100 outputs the generated prime 
15 *pl" to the key judgment unit 117 and generates a prime "p2".. 

The prime generation unit 116 outputs the generated prime vx p2" , 
the issue identifier information "IDI" , and the server identifier 
to the prime verification apparatus. 
[0449] Receiving the prime "p2" , issue identifier information *IDI" , 

20 and server identifier from the key issuing server 100, the prime 

verification apparatus reads a 2nd verification value "cl2" 
corresponding to the received server, identifier, calculates 
*p2-cl2" using the read 2nd verification value xx cl2", and judges 
whether the calculation result is divisible by "IDI". When 
25 determining that it is divisible, the prime verification 

apparatus outputs information permitting the use of the prime 
"p2" to the key issuing server 100. When determining that it is 
not divisible, the prime verification apparatus outputs 
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information prohibiting the use of the prime u p2" to the key 
issuing server 100. 
[0450] Receiving the information prohibiting the use of the prime 

>N p2" from the prime verification apparatus, the prime generation 
unit 116 of the key issuing server 100 generates a prime xv p2" 
once again, and repeats the above operation. 

Receiving the information permitting the use of the prime 
vx p2" from the prime verification apparatus, the prime generation 
unit 116 of the key issuing server 100 outputs the generated prime 
*p2" and a judgment start order to the key judgment unit 117. 
[0451] The following operation of the key issuing server 100 is 

the same as in the first embodiment, and therefore the description 
is .left out here. 

Note that, when receiving a regeneration order from the key 
judgment unit 117 , the prime generation unit 116 generates a prime 
" v p2" once again, and repeats the above operation. 

(27) In the first and second embodiments, the 1st and 2nd 
verification values are assigned for each key issuing server; 
however, the present invention is not limited to this. 
[0452] The 1st and 2nd verif ication values are assigned for each terminal , 

arid a table made up of terminal identifiers and the 1st and 2nd 
verification values assigned for each terminal may be managed by the 
key issuing server and the certificate issuing server. 

The key issuing server generates primes %x pi" and xv p2" using 
the 1st and 2nd verification values corresponding to a terminal 
having requested a key issue, and generates public and private 
keys using the generated xs pl" and NV p2" . When requesting a public 
key certificate, the key issuing server transmits the public key, 



issue identifier information, server identifier, and terminal 
identifier to the certificate issuing server. 

[0453] The certificate issuing server reads the 1st and 2nd verification 

values corresponding to the received terminal identifier, and verifies 
the validity of the public key using the read verification value, as 
well as the received public key and issue identifier information. 

By assigning two verification values for each terminal, the 
validity of a public key assigned for each terminal can be verified 
while the uniqueness of the public key is maintained. 

[0454] In addition, by using the prime verification apparatus described 

above, each generated prime may be verified whether it is a valid prime. 
Note that the prime verification apparatus should have a table including 
terminal identifiers and 1st and 2nd verification values assigned for 
each terminal. 

(28) In the first and second embodiments, the terminal and 
key issuing server are respective apparatuses ; however , the 
terminal may conduct key issuing. 
[0455] In this case, for example, the terminal includes, in addition to 

the structure shown in the first embodiment : the identifier repository; 
identifier generation unit; prime generation unit; key judgment unit; 
key generation unit; and public key repository that are described in 
the description of the structure of the key issuing server 100. 

The terminal generates, using the identifier generation 
unit, issue identifier information XX IDI = TID||1" from the 
terminal identifier and the number ' v l", and stores the generated 
issue identifier information in the identifier repository. 
[0456] The terminal generates public and private keys using the prime 

generation unit, key judgment unit, and key generation unit, and stores 
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the generated public key in the public key repository while storing 
the generated private key in the private key repository. 

In addition, the terminal transmits the issue identifier 
information, public key, terminal identifier, and certificate 
issue request information to the certificate issuing server, and 
receives a public key certificate from the certificate issuing 
server . 

Alternatively, the terminal may be an IC card. In this case, 
the IC card generates and stores keys. Note that the generation 
and storage of the issue identifier information may be handled 
by the IC card. In this case, the communication between the IC 
card and the certificate issuing server is performed by loading 
the IC card onto, the apparatus network -connected to the 
certificate issuing server. 
[0457] -(29) A serial number is used as an example of the terminal 

identifier; however, the present invention is not confined to this. 

The terminal identifier may be biometric information showing 
user's biological characteristics. Such biometric information 
includes, for example: fingerprint information indicating 
characteristics of the user's fingerprints; voiceprint 
information indicating characteristics of the user's voiceprint; 
iris information indicating characteristics of the user's 
irises; profile information indicating characteristics of the 
profile of the user's face; DNA information indicating 
characteristics of the user's DNA; and the combination of these. 
[0458] , In addition, part of the terminal identifier may be 
biometric information. 

Furthermore, the terminal identifier may be issued by a 



management server managing the terminal, and given via network 
communication from the management server. Or, a terminal 
identifier issued by the management server may be given via a 
storage medium such as a SD card. 

(30) The present invention may be a method of accomplishing 
the above. described unauthorized contents detection system. The 
present invention may be a computer program that achieves the 
method by a computer, or may be a digital signal representing 
the computer program. 
[0459]' The present invention may also be achieved by a 

computer -readable recording medium, such as a flexible disk, a 
hard disk, a CD-ROM (Compact Disk Read Only Memory), MO 
(Magneto -Optical) disk, a DVD, a DVD-ROM (Digital Versatile Disk 
Read Only Memory) , a DVD -RAM (Digital Versatile Disk Random Access 
Memory) , a BD (Blu-ray Disk) , or a semiconductor memory, on which 
the above-mentioned computer program or digital signal is 
recorded . The present invention may also be the computer program 
or the digital signal recorded on. such a storage medium. 
[0460] The present invention may also be the computer program or 

digital signal to be transmitted via networks, as represented 
by telecommunications, wire/wireless communications, and the 
Internet, or via data broadcasting. 

The present invention may also be a computer system having 
a microprocessor and memory, "wherein the memory stores the 
computer program and the microprocessor operates according to 
the computer program. 
[0461] The computer program or digital signal may be recorded on 

the above" storage medium and transferred to an independent 
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computer system, or alternatively, may be transferred to an 
independent computer system via the above network. Then, the 
independent computer system may execute the computer program or 
digital signal. 

5 (31) The present invention includes a structure in which 

two or more of the above embodiments and modifications are 
combined . 

Industrial Applicability 

10 [0462] Each server and terminal making up of the present invention 

can be manufactured and sold operationally, continuously and 
repeatedly in electric equipment manufacturing industries. In 
addition, each server and terminal making up of the present 
invention is applicable operationally, continuously and 

15 repeatedly in service industries using the Internet. 
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